FirstBlood-#145 — Patient's can modify their information without authorization on "/manageappointment.php" endpoint
This issue was discovered on FirstBlood v1
On 2021-05-10, holybugx Level 5 reported:
I've just realized that patients can modify their information on the
/manageappointment.phpendpoint which they shouldn't be able to due to:
For this to be exploited users need to set the following cookie in their browser or the Cookie header in the HTTP request:
which is the Base-64 encoded version of:
Having this cookie in their browser or the Cookie header in the HTTP request makes it possible for them to edit more information on their appointment details besides the comments that are allowed to be changed.
Steps to reproduce
- First of all, you need to make an appointment on the
/book-appointment.htmlendpoint as a low privilege unauthenticated user, an example of such is shown below:
- After doing so you will be given an appointment ID so that later on you can use it to visit your appointment details and to modify or cancel them.
- Now open the
/yourappointments.phpendpoint and enter the appointment id that you got from the previous step.
- Intercepting the request of the "modify appointment" results in the following HTTP request:
- Add the following cookie to the
so it's going to be like:
Cookie: drps=9b059c14344c91dcb5c358ce6; doctorAuthed=eyJkb2N0b3JBdXRoIjphdXRoZWR9
Also keep in mind that your
drpscookie is different from mine (if exists at all).
Now you can add other headers and edit them to your desired value:
- Now if you go back to the
/manageappointment.phpendpoint with your appointment id you can see that your
- Unauthorized modification of the account information
- Application logic bypass
If you need any further assistance please let me know.
FirstBlood ID: 7
Vulnerability Type: Application/Business Logic
The endpoint MA.php (to modify an appointment) only allows for certain values to be modified, however due to some application logic error, if the user has tried to signup as a doctor and has the cookie "doctorAuthed" set, then it allows them to modify the email address for any appointment.