FirstBlood-#143IDOR on /drpanel/drapi/qp.php endpoint



On 2021-05-10, codersanjay reported:

When a new doctor registers , he cannot search for patient details.

But by sending a POST request to the following end point from the newly created doc account, Full PII disclosure of all patients is possible.

Impact

Full PII disclosure.

P1 CRITICAL

Endpoint: /drpanel/drapi/qp.php

Parameter: name

Payload: ""


FirstBlood ID: 11
Vulnerability Type: Application/Business Logic

Administrator endpoints can be accessed by non privileged doctor accounts which reveals sensitive patient information.


Respect Earnt: 1500000
RESPECT ($RSP) is an experimental cryptocurrency based on the Ethereum blockchain with the mission to show respect to those who deserve it. We are testing it out on our FirstBlood hackevent.