FirstBlood-#130It is possible to view patient's data as a new doctor
This issue was discovered on FirstBlood v1

On 2021-05-10, 0xblackbird Level 5 reported:

Hello Zseano! I found a business logic error on /drpanel/drapi/query.php and as a normal doctor, I was able to read any patient's personal data. Normally, this should not be possible for new doctors

Steps to reproduce

  • Create a new account on /register.php
  • Next, navigate to /drpanel/drapi/query.php?aptid=56911019. The ID can be obtained by either logging in as an administrator or by bruteforcing the value. The first 4 digits look to be static and do not change, so only the last 4 can or need to be bruteforced.
  • After the page loaded, we can easily read the personal date of Mrs Melissa White.


I was able to view patient's personal data as a new doctor

Thanks a lot for the fun challenge! Have a nice day!


Endpoint: /drpanel/drapi/query.php

Parameter: aptid

Payload: 56911019

FirstBlood ID: 11
Vulnerability Type: Application/Business Logic

Administrator endpoints can be accessed by non privileged doctor accounts which reveals sensitive patient information.