FirstBlood-#159 — Unauthenticated access to PII data on /drpanel/drapi/qp.php
This issue was discovered on FirstBlood v1
On 2021-05-10, 0xblackbird Level 5 reported:
Hello! I found out that
/drpanel/drapi/qp.phpreveals sensitive PII data like full name, address, telephone number and date of birth. This can be accessed without being authorised which I think is a privacy issue.
Steps to reproduce
- A little list of patients will be returned in the response with PII data.
- We also have a little feature where we can search for names, for example
Private data can be access by unauthorised users. This by itself is a privacy violation.
Kind regards, 0xblackbird
FirstBlood ID: 12
Vulnerability Type: Auth issues
If the request method is changed from POST to GET, then the endpoint /drapi/qp.php becomes available to ANY user due to an application logic error