FirstBlood-#1541Leakage of doctors PII
This issue was discovered on FirstBlood v3



On 2022-12-11, pichik Level 4 reported:

Hi,

With a little bit of guessing I found an hidden endpoint /api/doctors.php, which is publicly accessible and is leaking some of their private info.

POC LINK:

https://63c0f77f87b7-pichik.a.firstbloodhackers.com/api/doctors.php

POC SCREEN:

REMEDIATION

Be more careful with managing/removing public endpoints, as they still be fuzzed accessed if no server side prevention is added.
This endpoint should be made just internal only.

P2 High

Endpoint: /api/doctors.php

Parameter: -

Payload: -


FirstBlood ID: 66
Vulnerability Type: Information leak/disclosure

It is possible to leak doctors private information such as email and phone number via the /api/doctors.php endpoint. No authentication is needed.