FirstBlood-#187 — Information Disclosure allowing an attacker to register as a doctor
This issue was discovered on FirstBlood v1.0.0
On 2021-05-11, c3phas reported:
Hi, I found (After so many days of scratching my head) an information disclosure on reddit which leaks an invite code allowing one to register as a doctor.
On register.php a doctor must have an invite-code inorder to be registered.
Doing some dorking I came across a post on reddit which leaked a code
Using the above code I was able to register an account as a doctor
Anyone can get an account as a doctor
FirstBlood ID: 15
Vulnerability Type: Auth issues
A doctors invite code is leaked on the internet which if used grants anyone access to the doctor portal. The invite code should expire after use.