FirstBlood-#192 — Privilege Escalation on /drpanel/drapi/query.php and /drpanel/drapi/query.php
This report has been reviewed and accepted as a valid vulnerability on FirstBlood!
On 2021-05-11, iffu reported:
I've found a privilege escalation bug on the application. It is very simple. We gain administrative privileges by simply changing the admin cookie with the low pivileged account's cookie.
Steps to reproduce
- Surf every endpoint on the /drpanel with the provided admin credentials.
- Turn on the burp while doing this.
- Now, on /drpanel/drapi/query.php and /drpanel/drapi/query.php requests, just change the cookie of admin with that of low privileged user's.
- You will observe that you are getting the response which is not intentional.
- You have bypassed the client side validations and checkings.
Thanks zseano and please let me know if you need any more information regarding this
This report has been publicly disclosed for everyone to view
/drpanel/drapi/query.php and /drpanel/drapi/query.php
FirstBlood ID: 11
Vulnerability Type: Application/Business Logic
Administrator endpoints can be accessed by non privileged doctor accounts which reveals sensitive patient information.
Respect Earnt: 2000000
is an experimental cryptocurrency based on the Ethereum blockchain with the mission to show respect to those who deserve it. We are testing it out on our FirstBlood hackevent.