BugBountyHunter

Description

Hello Sean,

By default, new doctors shouldn't be able to query for appointment information and patients, however, there is an API endpoint /drpanel/drapi/qp.php in which queries for appointment information.

Previously I found out that new doctors can also query for this appointment information using the /drpanel/drapi/query.php?aptid= endpoint, my report on that issue is linked here.

I found out that a POST request to /drpanel/drapi/qp.php as a new doctor account can simply bypass the authorization needed.

Steps to reproduce

I found out that the admin doctors can query for their patients using the /drpanel/drapi/qp.php endpoint, when they query for a patient's name they will be given his information that is used to verify a patient over the phone.

If a doctor query for a patient using the "Search Patient" button in their panel, a POST request is sent to the /drpanel/drapi/qp.php API endpoint, and the data is returned in their portal:

Here is the POST request being made to the server:

• If you make the same POST request to the /drpanel/drapi/qp.php API endpoint as a "new doctor", you should be able to query for the patient's personal information:

• This behavior abuse the logic that "new doctors" should not be able to access patient's information.

Impact

• Unauthorized access control

Best Regards,

HolyBugx