FirstBlood-#216 — IDOR to view Patient Information from a Lower Privileged User
This issue was discovered on FirstBlood v1
On 2021-05-12, smhtahsin33 Level 3 reported:
Hello, I Found a IDOR in /drpanel/drapi/query.php that can be access with a lower privileged user. If we click on the patient name directly with a lower privileged account it says:
Patient Information You are not authorised to view this. Consult your medical administrator.But can be access with direct query to the api endpoint.
Steps To Reproduce:
- Visit http://firstbloodhackers.com:49585/drpanel/drapi/query.php?aptid=56911019 with a lower privileged account
- You can still see their Private Information
Impact: Privilege Escalation
FirstBlood ID: 11
Vulnerability Type: Application/Business Logic
Administrator endpoints can be accessed by non privileged doctor accounts which reveals sensitive patient information.