FirstBlood-#130 — It is possible to view patient's data as a new doctor
This report has been reviewed and accepted as a valid vulnerability on FirstBlood!
On 2021-05-10, 0xblackbird reported:
Hello Zseano! I found a business logic error on
/drpanel/drapi/query.php and as a normal doctor, I was able to read any patient's personal data. Normally, this should not be possible for new doctors
Steps to reproduce
- Create a new account on
- Next, navigate to
/drpanel/drapi/query.php?aptid=56911019. The ID can be obtained by either logging in as an administrator or by bruteforcing the value. The first 4 digits look to be static and do not change, so only the last 4 can or need to be bruteforced.
- After the page loaded, we can easily read the personal date of Mrs Melissa White.
I was able to view patient's personal data as a new doctor
Thanks a lot for the fun challenge! Have a nice day!
This report has been publicly disclosed for everyone to view
FirstBlood ID: 11
Vulnerability Type: Application/Business Logic
Administrator endpoints can be accessed by non privileged doctor accounts which reveals sensitive patient information.
Respect Earnt: 1500000
is an experimental cryptocurrency based on the Ethereum blockchain with the mission to show respect to those who deserve it. We are testing it out on our FirstBlood hackevent.