FirstBlood-#192 — Privilege Escalation on /drpanel/drapi/query.php and /drpanel/drapi/query.php
This issue was discovered on FirstBlood v1.0.0
On 2021-05-11, iffu reported:
I've found a privilege escalation bug on the application. It is very simple. We gain administrative privileges by simply changing the admin cookie with the low pivileged account's cookie.
Steps to reproduce
- Surf every endpoint on the /drpanel with the provided admin credentials.
- Turn on the burp while doing this.
- Now, on /drpanel/drapi/query.php and /drpanel/drapi/query.php requests, just change the cookie of admin with that of low privileged user's.
- You will observe that you are getting the response which is not intentional.
- You have bypassed the client side validations and checkings.
Thanks zseano and please let me know if you need any more information regarding this
/drpanel/drapi/query.php and /drpanel/drapi/query.php
FirstBlood ID: 11
Vulnerability Type: Application/Business Logic
Administrator endpoints can be accessed by non privileged doctor accounts which reveals sensitive patient information.