FirstBlood-#216IDOR to view Patient Information from a Lower Privileged User
This issue was discovered on FirstBlood v1

On 2021-05-12, smhtahsin33 Level 3 reported:

Hello, I Found a IDOR in /drpanel/drapi/query.php that can be access with a lower privileged user. If we click on the patient name directly with a lower privileged account it says: Patient Information You are not authorised to view this. Consult your medical administrator. But can be access with direct query to the api endpoint.

Steps To Reproduce:

  1. Visit with a lower privileged account
  2. You can still see their Private Information

Impact: Privilege Escalation


Endpoint: /drpanel/drapi/query.php

Parameter: ?aptid={id}

Payload: N/A

FirstBlood ID: 11
Vulnerability Type: Application/Business Logic

Administrator endpoints can be accessed by non privileged doctor accounts which reveals sensitive patient information.