FirstBlood-#1672Able to delete an ambulance from an appointment
This issue was discovered on FirstBlood v3

On 2022-12-13, didsec Level 5 reported:

Hi there

I found it is possible to delete a ambulance from an appointment via a api call to /api/manageambulances.php

To reproduce :

  1. Visit and fill in the information required to make an appointment
  2. Click Book Appointment and intercept the request
  3. Add &ambulance=1 to the data and forward the request

  1. Take note of the created appointment ID

  1. Visit{appointment ID} and take note of the ambId

  1. Visit{ambId} and intercept the request
  2. Change the request to a DELETE request and forward the request

The ambulance has now been deleted from the appointment. We can check this by visiting{appointment ID} or by making a call to /api/ambulances.php

P2 High

FirstBlood ID: 77
Vulnerability Type: Access_control

Sending an unauthenticated DELETE request to /api/manageambulances.php will cause that ambulance to be deleted

Report Feedback


Creator & Administrator

Congratulations you were third to discover this!