FirstBlood-#1543 — Anyone can edit doctors
This issue was discovered on FirstBlood v3
On 2022-12-11, pichik Level 4 reported:
Hi,
DESCRIPTION
After creating custom wordlist I found another hidden endpoint /api/managedoctors.php
.
This endpoint allows anyone to edit doctors.
As POST gives us Unauthorised!
, we can just use PUT
request, which works fine.
By working step by step on this request, response will reveal to us everything what we need - that we need to send json and all params requried.
Here is simple request:
PUT /api/managedoctors.php HTTP/1.1
Host: 63c0f77f87b7-pichik.a.firstbloodhackers.com
Content-Length: 88
{
"name":"PWNED",
"bio":"Hello there",
"tagline":"",
"drId":1
}
POC SCREEN:
IMPACT:
Attacker can mess with doctors reputation, or combine it with XSS to attack users as well.
REMEDIATION:
Be more careful with managing/removing public endpoints, as they still be fuzzed accessed if no server side prevention is added.
This endpoint should be made just internal only.
P2 High
Endpoint: /api/managedoctors.php
Parameter: Method
Payload: PUT
FirstBlood ID: 75
Vulnerability Type: Access_control
An unauthenticated user can modify doctors via a PUT request on the /api/managedoctors.php endpoint