FirstBlood-#1670Unauthenticated user is able to change a doctors profile
This issue was discovered on FirstBlood v3

On 2022-12-13, didsec Level 5 reported:

Hi there

I found it is possible for a unauthenticated user to edit a doctors profile via a api call to /api/managedoctors.php

To reproduce :

  1. Visit and intercept the request
  2. Change the request to a PUT request
  3. Add the following JSON to the data and forward the request
    {"name": "Edited",
    "bio":"More editing here",
    "tagline":"Even more editing here",

Image before editing

As you can see the doctors information has been changed

Image after editing

P2 High

FirstBlood ID: 75
Vulnerability Type: Access_control

An unauthenticated user can modify doctors via a PUT request on the /api/managedoctors.php endpoint