FirstBlood-#217IDOR in Search Patient Functionality Leads to PII Leakage
This issue was discovered on FirstBlood v1

On 2021-05-12, smhtahsin33 Level 3 reported:

Hello, If we try to query names it shows As your account is new you are unable to search for patients. but can be bypassed by directly querying the api endpoint with a lower privileged account.

Steps To Reproduce:

  1. Make a POST request to /drpanel/drapi/qp.php with a name parameter in it
  2. Must put Content-Type: application/x-www-form-urlencoded in the request
  3. You can see a 200 OK response with patients PII information in it.

Impact: Privilege Escalation


Endpoint: /drpanel/drapi/qp.php

Parameter: name=

Payload: N/A

FirstBlood ID: 11
Vulnerability Type: Application/Business Logic

Administrator endpoints can be accessed by non privileged doctor accounts which reveals sensitive patient information.