FirstBlood-#182New doctors are able to view patient's private data through /drpanel/drapi/qp.php



On 2021-05-11, 0xblackbird reported:

Hello zseano! I found out that new doctors are also able to view patient's data while they actually shouldn't.

Steps to reproduce

  • Create a new account using the following invite code and choose any username: F16CA47250E445888824A9E63AE445CE (we previously found this code on Redit)

  • Now simply visit /drpanel/drapi/qp.php and intercept the request.
  • Change the method from GET to POST and manually add the name parameter in the POST-body, also don't forget the Content-Type request header. Set it too application/x-www-form-urlencoded.

  • Forward the request and get back to your webbrowser, response contains private information about patients that shouldn't be visible to new doctors.

Impact

I was able to view other patient's data while being a new doctor.

Regards, 0xblackbird

P1 CRITICAL

Endpoint: /drpanel/drapi/qp.php

Parameter: name

Payload: N/A


FirstBlood ID: 11
Vulnerability Type: Application/Business Logic

Administrator endpoints can be accessed by non privileged doctor accounts which reveals sensitive patient information.


Respect Earnt: 1500000
RESPECT ($RSP) is an experimental cryptocurrency based on the Ethereum blockchain with the mission to show respect to those who deserve it. We are testing it out on our FirstBlood hackevent.