FirstBlood-#176 — Emails and comments of other users can be changed using IDOR on aptID
This issue was discovered on FirstBlood v1.0.0
On 2021-05-11, holybugx reported:
I've recently found out that Patient's can modify their information without authorization on /manageappointment.php
However, I just found out that the
messageof any other users can also be changed using an IDOR on the
aptIDof the patients.
In the other report I linked above there was no need for the IDOR on
aptidand that was considered as an application logic bug. however, in this case, we are making use of an IDOR on the
Steps to reproduce
- First of all, you need to make an appointment on the
/book-appointment.htmlendpoint as an unauthenticated user, an example of such is shown below:
- After doing so you will be given an appointment ID so that later on you can use it to visit your appointment details and to modify or cancel them.
- Now open the
/yourappointments.phpendpoint and enter the appointment id that you got from the previous step.
- Intercept the request to "Modify Appointment" and make the following changes, and then send the request:
- If you now, go to the doctor's panel and open "Cancelled Appointments", you can see the message that "Sean Zseano" had left before is now changed with what we just set, meaning that his
aptIDwas used and his
messageis now changed.
As explained above the
aptIDof other users can be used to change their
In the proof of concept I shown above I changed the
messageof another user, Note that the
Modifying Email address of other users
- Victim's current information:
- Victim's full name:
- Victim's email:
An attacker can make his appointment as shown before, and intercept the request to "Modify Appointment" on his side:
Here is the example HTTP request the attacker has:
- Attacker adds the
- Attacker adds the
- Attacker changes his
appointmentIDwith the victim's
I explained how an attacker can find the
aptidof other users in this report. also, it's good to note there is no need for the attacker to be a "new doctor" same as the report linked above, the attacker can blindly Brute-Force the last 4 digits and the email address of users with the valid
Here is the new victim's account information after the attack:
- You can notice that the
- If the attacker only wants to change the
messageof others, there is no need for the
- There is absolutely no need for an attacker to know the
aptidof other users, he can simply Brute-Force them blindly as I showed before on this report.
- Unauthorized modification of other user's email addresses and messages using an IDOR.
Please let me know if you need further assistance.
FirstBlood ID: 6
Vulnerability Type: Insecure direct object reference
The endpoint MA.php (to modify an appointment) will allow for integer values to be used when modifying appointments. A bad cause of security through obscurity was attempted.