FirstBlood-#182 — New doctors are able to view patient's private data through /drpanel/drapi/qp.php
This issue was discovered on FirstBlood v1.0.0
On 2021-05-11, 0xblackbird reported:
Hello zseano! I found out that new doctors are also able to view patient's data while they actually shouldn't.
Steps to reproduce
- Create a new account using the following invite code and choose any username:
F16CA47250E445888824A9E63AE445CE(we previously found this code on Redit)
- Now simply visit
/drpanel/drapi/qp.phpand intercept the request.
- Change the method from GET to POST and manually add the name parameter in the POST-body, also don't forget the Content-Type request header. Set it too application/x-www-form-urlencoded.
- Forward the request and get back to your webbrowser, response contains private information about patients that shouldn't be visible to new doctors.
I was able to view other patient's data while being a new doctor.
FirstBlood ID: 11
Vulnerability Type: Application/Business Logic
Administrator endpoints can be accessed by non privileged doctor accounts which reveals sensitive patient information.