FirstBlood-#192Privilege Escalation on /drpanel/drapi/query.php and /drpanel/drapi/query.php



On 2021-05-11, iffu reported:

Hi zseano...

Summary

I've found a privilege escalation bug on the application. It is very simple. We gain administrative privileges by simply changing the admin cookie with the low pivileged account's cookie.

Probably, the process to check if a user is admin or not is done on the client side because I see alerts and other javascript stuff displayed when I check details of other users using low privileged account.

Steps to reproduce

  • Surf every endpoint on the /drpanel with the provided admin credentials.
  • Turn on the burp while doing this.
  • Now, on /drpanel/drapi/query.php and /drpanel/drapi/query.php requests, just change the cookie of admin with that of low privileged user's.
  • You will observe that you are getting the response which is not intentional.
  • You have bypassed the client side validations and checkings.

Thanks zseano and please let me know if you need any more information regarding this

P1 CRITICAL

Endpoint: /drpanel/drapi/query.php and /drpanel/drapi/query.php

Parameter: ***

Payload: ***


FirstBlood ID: 11
Vulnerability Type: Application/Business Logic

Administrator endpoints can be accessed by non privileged doctor accounts which reveals sensitive patient information.


Respect Earnt: 2000000
RESPECT ($RSP) is an experimental cryptocurrency based on the Ethereum blockchain with the mission to show respect to those who deserve it. We are testing it out on our FirstBlood hackevent.