FirstBlood-#177 — New doctors can query appointments and users information using /drpanel/drapi/qp.php endpoint
This issue was discovered on FirstBlood v1.0.0
On 2021-05-11, holybugx reported:
By default, new doctors shouldn't be able to query for appointment information and patients, however, there is an API endpoint
/drpanel/drapi/qp.phpin which queries for appointment information.
Previously I found out that new doctors can also query for this appointment information using the
/drpanel/drapi/query.php?aptid=endpoint, my report on that issue is linked here.
I found out that a POST request to
/drpanel/drapi/qp.phpas a new doctor account can simply bypass the authorization needed.
Steps to reproduce
I found out that the admin doctors can query for their patients using the
/drpanel/drapi/qp.phpendpoint, when they query for a patient's name they will be given his information that is used to verify a patient over the phone.
If a doctor query for a patient using the "Search Patient" button in their panel, a POST request is sent to the
/drpanel/drapi/qp.phpAPI endpoint, and the data is returned in their portal:
Here is the POST request being made to the server:
- If you make the same POST request to the
/drpanel/drapi/qp.phpAPI endpoint as a "new doctor", you should be able to query for the patient's personal information:
- This behavior abuse the logic that "new doctors" should not be able to access patient's information.
- Unauthorized access control
FirstBlood ID: 11
Vulnerability Type: Application/Business Logic
Administrator endpoints can be accessed by non privileged doctor accounts which reveals sensitive patient information.