FirstBlood-#1455Doctors can change doctor's profile photo
This issue was discovered on FirstBlood v3

On 2022-12-10, 0xblackbird Level 5 reported:



I found out with @ayush1098 that authenticated users can change other doctor's profile photos by supplying the photoUrl parameter. This shouldn't be possible as stated below.

Possible cause:

The developers might have underestimated that the API can also be invoked directly and that the parameter could be guessed.


Any authenticated user can change the profile photo of another doctor.

Steps to reproduce:

1) Login using the default credentials: admin:admin

2) Replicate the following request

POST /drpanel/drapi/edit-dr.php HTTP/1.1
Host: {HOST}
Cookie: drps={SESS_COOKIE}
Content-Type: application/x-www-form-urlencoded
Content-Length: 127

3) Once sent, the profile URL must be changed, you can cross-check this by visiting /meet_drs.php or /drpanel/edit-doctor.php?id=1


I recommend not accepting the photoUrl parameter anymore.

Have a nice a day!

Kind regards,


P4 Low

Endpoint: /drpanel/drapi/edit-dr.php

Parameter: photoUrl

Payload: {PATH}

FirstBlood ID: 61
Vulnerability Type: Application/Business Logic

It mentions that doctor photos can NOT be modified but it is actually possible to modify them