FirstBlood-#192Privilege Escalation on /drpanel/drapi/query.php and /drpanel/drapi/query.php
This issue was discovered on FirstBlood v1.0.0



On 2021-05-11, iffu Level 5 reported:

Hi zseano...

Summary

I've found a privilege escalation bug on the application. It is very simple. We gain administrative privileges by simply changing the admin cookie with the low pivileged account's cookie.

Probably, the process to check if a user is admin or not is done on the client side because I see alerts and other javascript stuff displayed when I check details of other users using low privileged account.

Steps to reproduce

  • Surf every endpoint on the /drpanel with the provided admin credentials.
  • Turn on the burp while doing this.
  • Now, on /drpanel/drapi/query.php and /drpanel/drapi/query.php requests, just change the cookie of admin with that of low privileged user's.
  • You will observe that you are getting the response which is not intentional.
  • You have bypassed the client side validations and checkings.

Thanks zseano and please let me know if you need any more information regarding this

P1 CRITICAL

Endpoint: /drpanel/drapi/query.php and /drpanel/drapi/query.php

Parameter: ***

Payload: ***


FirstBlood ID: 11
Vulnerability Type: Application/Business Logic

Administrator endpoints can be accessed by non privileged doctor accounts which reveals sensitive patient information.