FirstBlood-#159 — Unauthenticated access to PII data on /drpanel/drapi/qp.php
This report has been reviewed and accepted as a valid vulnerability on FirstBlood!
On 2021-05-10, 0xblackbird reported:
Hello! I found out that
/drpanel/drapi/qp.php reveals sensitive PII data like full name, address, telephone number and date of birth. This can be accessed without being authorised which I think is a privacy issue.
Steps to reproduce
- A little list of patients will be returned in the response with PII data.
- We also have a little feature where we can search for names, for example
/drpanel/drapi/qp.php?name=John will return:
Private data can be access by unauthorised users. This by itself is a privacy violation.
This report has been publicly disclosed for everyone to view
FirstBlood ID: 12
Vulnerability Type: Auth issues
If the request method is changed from POST to GET, then the endpoint /drapi/qp.php becomes available to ANY user due to an application logic error
Respect Earnt: 1500000
is an experimental cryptocurrency based on the Ethereum blockchain with the mission to show respect to those who deserve it. We are testing it out on our FirstBlood hackevent.