FirstBlood-#182 — New doctors are able to view patient's private data through /drpanel/drapi/qp.php
This report has been reviewed and accepted as a valid vulnerability on FirstBlood!
On 2021-05-11, 0xblackbird reported:
Hello zseano! I found out that new doctors are also able to view patient's data while they actually shouldn't.
Steps to reproduce
- Create a new account using the following invite code and choose any username:
F16CA47250E445888824A9E63AE445CE (we previously found this code on Redit)
- Now simply visit
/drpanel/drapi/qp.php and intercept the request.
- Change the method from GET to POST and manually add the name parameter in the POST-body, also don't forget the Content-Type request header. Set it too application/x-www-form-urlencoded.
- Forward the request and get back to your webbrowser, response contains private information about patients that shouldn't be visible to new doctors.
I was able to view other patient's data while being a new doctor.
This report has been publicly disclosed for everyone to view
FirstBlood ID: 11
Vulnerability Type: Application/Business Logic
Administrator endpoints can be accessed by non privileged doctor accounts which reveals sensitive patient information.
Respect Earnt: 1500000
is an experimental cryptocurrency based on the Ethereum blockchain with the mission to show respect to those who deserve it. We are testing it out on our FirstBlood hackevent.