FirstBlood-#216IDOR to view Patient Information from a Lower Privileged User

On 2021-05-12, smhtahsin33 reported:

Hello, I Found a IDOR in /drpanel/drapi/query.php that can be access with a lower privileged user. If we click on the patient name directly with a lower privileged account it says: Patient Information You are not authorised to view this. Consult your medical administrator. But can be access with direct query to the api endpoint.

Steps To Reproduce:

  1. Visit with a lower privileged account
  2. You can still see their Private Information

Impact: Privilege Escalation


Endpoint: /drpanel/drapi/query.php

Parameter: ?aptid={id}

Payload: N/A

FirstBlood ID: 11
Vulnerability Type: Application/Business Logic

Administrator endpoints can be accessed by non privileged doctor accounts which reveals sensitive patient information.

Respect Earnt: 1500000
RESPECT ($RSP) is an experimental cryptocurrency based on the Ethereum blockchain with the mission to show respect to those who deserve it. We are testing it out on our FirstBlood hackevent.