FirstBlood-#1475Info Leak on api/ambulances.php leads to IDOR on manageappointment
This issue was discovered on FirstBlood v3

On 2022-12-10, twsec Level 2 reported:

Hi Sean,

this report chains 2 vulnerabilities one in /api/ambulances.php and manageappointment.php

steps to reproduce:

1- navigate to /api/ambulances.php in the request /api/ambulances.php?select= instead of entering an apptid enter the keyword all thus, the api reveals all the appointment ids it has. here you can see all the appointment IDs

2- User1 has and id of 63672f98-55af-4df2-9c45-24cebd06efc3 and now after finding all the IDs he decided to cancel all other IDs User2 has id : 2d747e59-8eea-4c92-81e3-30f6eb68cf74 both are valid and we can make sure of that in yourappointment

3- the malice user1 decides to enter User's 2 ID and cancel his appointment, he does that and after checking the apptid it's invalid

P2 High

FirstBlood ID: 71
Vulnerability Type: Information leak/disclosure

The endpoint /api/ambulances.php leaks patient information if the parameter ?select=all is supplied