FirstBlood-#216 — IDOR to view Patient Information from a Lower Privileged User
This report has been reviewed and accepted as a valid vulnerability on FirstBlood!
On 2021-05-12, smhtahsin33 reported:
I Found a IDOR in /drpanel/drapi/query.php that can be access with a lower privileged user.
If we click on the patient name directly with a lower privileged account it says:
Patient Information You are not authorised to view this. Consult your medical administrator.
But can be access with direct query to the api endpoint.
Steps To Reproduce:
- Visit http://firstbloodhackers.com:49585/drpanel/drapi/query.php?aptid=56911019 with a lower privileged account
- You can still see their Private Information
This report has been publicly disclosed for everyone to view
FirstBlood ID: 11
Vulnerability Type: Application/Business Logic
Administrator endpoints can be accessed by non privileged doctor accounts which reveals sensitive patient information.
Respect Earnt: 1500000
is an experimental cryptocurrency based on the Ethereum blockchain with the mission to show respect to those who deserve it. We are testing it out on our FirstBlood hackevent.