FirstBlood-#1804 — Appointment UUIDs leaked through new ambulances API endpoint
This issue was discovered on FirstBlood v3
On 2022-12-17, 0xblackbird Level 5 reported:
I found out that the
/api/ambulances.phpdiscloses UUIDs + private data of all appointments made (where ambulance was set to 1 during booking). This should not be possible for unprivileged users.
The developers may have added the all keyword for debugging purposes but forgot about it somehow.
I was able to reveal the all the private appointment's data + UUID (this allows me to modify them for example). This shouldn't be possible.
Steps to reproduce:
1) After visiting
/api/ambulances.php?select=allfor example, we can find the full location in the response
I recommend removing all keyword from this endpoint for unprivileged users.
Have a nice day!
FirstBlood ID: 71
Vulnerability Type: Information leak/disclosure
The endpoint /api/ambulances.php leaks patient information if the parameter ?select=all is supplied