FirstBlood-#159Unauthenticated access to PII data on /drpanel/drapi/qp.php



On 2021-05-10, 0xblackbird reported:

Hello! I found out that /drpanel/drapi/qp.php reveals sensitive PII data like full name, address, telephone number and date of birth. This can be accessed without being authorised which I think is a privacy issue.

Steps to reproduce

  • Visit /drpanel/drapi/qp.php?name=
  • A little list of patients will be returned in the response with PII data.
  • We also have a little feature where we can search for names, for example /drpanel/drapi/qp.php?name=John will return:

Impact

Private data can be access by unauthorised users. This by itself is a privacy violation.

Kind regards, 0xblackbird

P1 CRITICAL

Endpoint: /drpanel/drapi/qp.php

Parameter: name

Payload: {name}


FirstBlood ID: 12
Vulnerability Type: Auth issues

If the request method is changed from POST to GET, then the endpoint /drapi/qp.php becomes available to ANY user due to an application logic error


Respect Earnt: 1500000
RESPECT ($RSP) is an experimental cryptocurrency based on the Ethereum blockchain with the mission to show respect to those who deserve it. We are testing it out on our FirstBlood hackevent.