FirstBlood-#143 — IDOR on /drpanel/drapi/qp.php endpoint
This issue was discovered on FirstBlood v1
On 2021-05-10, codersanjay Level 3 reported:
When a new doctor registers , he cannot search for patient details.
But by sending a POST request to the following end point from the newly created doc account, Full PII disclosure of all patients is possible.
Full PII disclosure.
FirstBlood ID: 11
Vulnerability Type: Application/Business Logic
Administrator endpoints can be accessed by non privileged doctor accounts which reveals sensitive patient information.