FirstBlood-#159Unauthenticated access to PII data on /drpanel/drapi/qp.php
This issue was discovered on FirstBlood v1.0.0



On 2021-05-10, 0xblackbird Level 4 reported:

Hello! I found out that /drpanel/drapi/qp.php reveals sensitive PII data like full name, address, telephone number and date of birth. This can be accessed without being authorised which I think is a privacy issue.

Steps to reproduce

  • Visit /drpanel/drapi/qp.php?name=
  • A little list of patients will be returned in the response with PII data.
  • We also have a little feature where we can search for names, for example /drpanel/drapi/qp.php?name=John will return:

Impact

Private data can be access by unauthorised users. This by itself is a privacy violation.

Kind regards, 0xblackbird

P1 CRITICAL

Endpoint: /drpanel/drapi/qp.php

Parameter: name

Payload: {name}


FirstBlood ID: 12
Vulnerability Type: Auth issues

If the request method is changed from POST to GET, then the endpoint /drapi/qp.php becomes available to ANY user due to an application logic error