FirstBlood-#1455Doctors can change doctor's profile photo
This issue was discovered on FirstBlood v3



On 2022-12-10, 0xblackbird Level 5 reported:

Summary:

Hi!

I found out with @ayush1098 that authenticated users can change other doctor's profile photos by supplying the photoUrl parameter. This shouldn't be possible as stated below.

Possible cause:

The developers might have underestimated that the API can also be invoked directly and that the parameter could be guessed.

Impact:

Any authenticated user can change the profile photo of another doctor.

Steps to reproduce:

1) Login using the default credentials: admin:admin

2) Replicate the following request

POST /drpanel/drapi/edit-dr.php HTTP/1.1
Host: {HOST}
Cookie: drps={SESS_COOKIE}
Content-Type: application/x-www-form-urlencoded
Content-Length: 127
drid=1&name=test&bio=&bookable=0&photoUri={PATH}

3) Once sent, the profile URL must be changed, you can cross-check this by visiting /meet_drs.php or /drpanel/edit-doctor.php?id=1

Mitigation:

I recommend not accepting the photoUrl parameter anymore.

Have a nice a day!

Kind regards,

0xblackbird

P4 Low

Endpoint: /drpanel/drapi/edit-dr.php

Parameter: photoUrl

Payload: {PATH}


FirstBlood ID: 61
Vulnerability Type: Application/Business Logic

It mentions that doctor photos can NOT be modified but it is actually possible to modify them