FirstBlood-#177New doctors can query appointments and users information using /drpanel/drapi/qp.php endpoint
This issue was discovered on FirstBlood v1

On 2021-05-11, holybugx Level 5 reported:


Hello Sean,

By default, new doctors shouldn't be able to query for appointment information and patients, however, there is an API endpoint /drpanel/drapi/qp.php in which queries for appointment information.

Previously I found out that new doctors can also query for this appointment information using the /drpanel/drapi/query.php?aptid= endpoint, my report on that issue is linked here.

I found out that a POST request to /drpanel/drapi/qp.php as a new doctor account can simply bypass the authorization needed.

Steps to reproduce

I found out that the admin doctors can query for their patients using the /drpanel/drapi/qp.php endpoint, when they query for a patient's name they will be given his information that is used to verify a patient over the phone.

If a doctor query for a patient using the "Search Patient" button in their panel, a POST request is sent to the /drpanel/drapi/qp.php API endpoint, and the data is returned in their portal:

Here is the POST request being made to the server:

  • If you make the same POST request to the /drpanel/drapi/qp.php API endpoint as a "new doctor", you should be able to query for the patient's personal information:

  • This behavior abuse the logic that "new doctors" should not be able to access patient's information.


  • Unauthorized access control

Best Regards,





FirstBlood ID: 11
Vulnerability Type: Application/Business Logic

Administrator endpoints can be accessed by non privileged doctor accounts which reveals sensitive patient information.