FirstBlood-#177New doctors can query appointments and users information using /drpanel/drapi/qp.php endpoint



On 2021-05-11, holybugx reported:

Description

Hello Sean,

By default, new doctors shouldn't be able to query for appointment information and patients, however, there is an API endpoint /drpanel/drapi/qp.php in which queries for appointment information.

Previously I found out that new doctors can also query for this appointment information using the /drpanel/drapi/query.php?aptid= endpoint, my report on that issue is linked here.

I found out that a POST request to /drpanel/drapi/qp.php as a new doctor account can simply bypass the authorization needed.

Steps to reproduce

I found out that the admin doctors can query for their patients using the /drpanel/drapi/qp.php endpoint, when they query for a patient's name they will be given his information that is used to verify a patient over the phone.

If a doctor query for a patient using the "Search Patient" button in their panel, a POST request is sent to the /drpanel/drapi/qp.php API endpoint, and the data is returned in their portal:

Here is the POST request being made to the server:

  • If you make the same POST request to the /drpanel/drapi/qp.php API endpoint as a "new doctor", you should be able to query for the patient's personal information:

  • This behavior abuse the logic that "new doctors" should not be able to access patient's information.

Impact

  • Unauthorized access control

Best Regards,

HolyBugx

P1 CRITICAL

Parameter:

Payload:


FirstBlood ID: 11
Vulnerability Type: Application/Business Logic

Administrator endpoints can be accessed by non privileged doctor accounts which reveals sensitive patient information.


Respect Earnt: 2000000
RESPECT ($RSP) is an experimental cryptocurrency based on the Ethereum blockchain with the mission to show respect to those who deserve it. We are testing it out on our FirstBlood hackevent.