FirstBlood-#130 — It is possible to view patient's data as a new doctor
This issue was discovered on FirstBlood v1.0.0
On 2021-05-10, 0xblackbird reported:
Hello Zseano! I found a business logic error on
/drpanel/drapi/query.phpand as a normal doctor, I was able to read any patient's personal data. Normally, this should not be possible for new doctors
Steps to reproduce
- Create a new account on
- Next, navigate to
/drpanel/drapi/query.php?aptid=56911019. The ID can be obtained by either logging in as an administrator or by bruteforcing the value. The first 4 digits look to be static and do not change, so only the last 4 can or need to be bruteforced.
- After the page loaded, we can easily read the personal date of Mrs Melissa White.
I was able to view patient's personal data as a new doctor
Thanks a lot for the fun challenge! Have a nice day!
FirstBlood ID: 11
Vulnerability Type: Application/Business Logic
Administrator endpoints can be accessed by non privileged doctor accounts which reveals sensitive patient information.