FirstBlood-#182New doctors are able to view patient's private data through /drpanel/drapi/qp.php
This issue was discovered on FirstBlood v1.0.0

On 2021-05-11, 0xblackbird Level 5 reported:

Hello zseano! I found out that new doctors are also able to view patient's data while they actually shouldn't.

Steps to reproduce

  • Create a new account using the following invite code and choose any username: F16CA47250E445888824A9E63AE445CE (we previously found this code on Redit)

  • Now simply visit /drpanel/drapi/qp.php and intercept the request.
  • Change the method from GET to POST and manually add the name parameter in the POST-body, also don't forget the Content-Type request header. Set it too application/x-www-form-urlencoded.

  • Forward the request and get back to your webbrowser, response contains private information about patients that shouldn't be visible to new doctors.


I was able to view other patient's data while being a new doctor.

Regards, 0xblackbird


Endpoint: /drpanel/drapi/qp.php

Parameter: name

Payload: N/A

FirstBlood ID: 11
Vulnerability Type: Application/Business Logic

Administrator endpoints can be accessed by non privileged doctor accounts which reveals sensitive patient information.