By default, new doctors shouldn't be able to query for appointment information and patients, however, there is an API endpoint
/drpanel/drapi/qp.php in which queries for appointment information.
Previously I found out that new doctors can also query for this appointment information using the
/drpanel/drapi/query.php?aptid= endpoint, my report on that issue is linked here.
I found out that a POST request to
/drpanel/drapi/qp.php as a new doctor account can simply bypass the authorization needed.
Steps to reproduce
I found out that the admin doctors can query for their patients using the
/drpanel/drapi/qp.php endpoint, when they query for a patient's name they will be given his information that is used to verify a patient over the phone.
If a doctor query for a patient using the "Search Patient" button in their panel, a POST request is sent to the
/drpanel/drapi/qp.php API endpoint, and the data is returned in their portal:
Here is the POST request being made to the server:
- If you make the same POST request to the
/drpanel/drapi/qp.php API endpoint as a "new doctor", you should be able to query for the patient's personal information:
- This behavior abuse the logic that "new doctors" should not be able to access patient's information.
- Unauthorized access control