FirstBlood-#143IDOR on /drpanel/drapi/qp.php endpoint
This issue was discovered on FirstBlood v1

On 2021-05-10, codersanjay Level 3 reported:

When a new doctor registers , he cannot search for patient details.

But by sending a POST request to the following end point from the newly created doc account, Full PII disclosure of all patients is possible.


Full PII disclosure.


Endpoint: /drpanel/drapi/qp.php

Parameter: name

Payload: ""

FirstBlood ID: 11
Vulnerability Type: Application/Business Logic

Administrator endpoints can be accessed by non privileged doctor accounts which reveals sensitive patient information.