FirstBlood-#130It is possible to view patient's data as a new doctor



On 2021-05-10, 0xblackbird reported:

Hello Zseano! I found a business logic error on /drpanel/drapi/query.php and as a normal doctor, I was able to read any patient's personal data. Normally, this should not be possible for new doctors

Steps to reproduce

  • Create a new account on /register.php
  • Next, navigate to /drpanel/drapi/query.php?aptid=56911019. The ID can be obtained by either logging in as an administrator or by bruteforcing the value. The first 4 digits look to be static and do not change, so only the last 4 can or need to be bruteforced.
  • After the page loaded, we can easily read the personal date of Mrs Melissa White.

Impact

I was able to view patient's personal data as a new doctor

Thanks a lot for the fun challenge! Have a nice day!

P1 CRITICAL

Endpoint: /drpanel/drapi/query.php

Parameter: aptid

Payload: 56911019


FirstBlood ID: 11
Vulnerability Type: Application/Business Logic

Administrator endpoints can be accessed by non privileged doctor accounts which reveals sensitive patient information.


Respect Earnt: 1500000
RESPECT ($RSP) is an experimental cryptocurrency based on the Ethereum blockchain with the mission to show respect to those who deserve it. We are testing it out on our FirstBlood hackevent.