FirstBlood-#145 — Patient's can modify their information without authorization on "/manageappointment.php" endpoint
This report has been reviewed and accepted as a valid vulnerability on FirstBlood!
On 2021-05-10, holybugx reported:
I've just realized that patients can modify their information on the
/manageappointment.php endpoint which they shouldn't be able to due to:
For this to be exploited users need to set the following cookie in their browser or the Cookie header in the HTTP request:
which is the Base-64 encoded version of:
Having this cookie in their browser or the Cookie header in the HTTP request makes it possible for them to edit more information on their appointment details besides the comments that are allowed to be changed.
Steps to reproduce
- First of all, you need to make an appointment on the
/book-appointment.html endpoint as a low privilege unauthenticated user, an example of such is shown below:
- After doing so you will be given an appointment ID so that later on you can use it to visit your appointment details and to modify or cancel them.
- Now open the
/yourappointments.php endpoint and enter the appointment id that you got from the previous step.
- Intercepting the request of the "modify appointment" results in the following HTTP request:
- Add the following cookie to the
so it's going to be like:
Cookie: drps=9b059c14344c91dcb5c358ce6; doctorAuthed=eyJkb2N0b3JBdXRoIjphdXRoZWR9
- Now if you go back to the
/manageappointment.php endpoint with your appointment id you can see that your
email has been changed:
- Unauthorized modification of the account information
- Application logic bypass
If you need any further assistance please let me know.
This report has been publicly disclosed for everyone to view
FirstBlood ID: 7
Vulnerability Type: Application/Business Logic
The endpoint MA.php (to modify an appointment) only allows for certain values to be modified, however due to some application logic error, if the user has tried to signup as a doctor and has the cookie "doctorAuthed" set, then it allows them to modify the email address for any appointment.
Respect Earnt: 2000000
is an experimental cryptocurrency based on the Ethereum blockchain with the mission to show respect to those who deserve it. We are testing it out on our FirstBlood hackevent.