FirstBlood-#217 — IDOR in Search Patient Functionality Leads to PII Leakage
This report has been reviewed and accepted as a valid vulnerability on FirstBlood!
On 2021-05-12, smhtahsin33 reported:
If we try to query names it shows
As your account is new you are unable to search for patients. but can be bypassed by directly querying the api endpoint with a lower privileged account.
Steps To Reproduce:
- Make a
POST request to /drpanel/drapi/qp.php with a
name parameter in it
- Must put
Content-Type: application/x-www-form-urlencoded in the request
- You can see a
200 OK response with patients PII information in it.
This report has been publicly disclosed for everyone to view
FirstBlood ID: 11
Vulnerability Type: Application/Business Logic
Administrator endpoints can be accessed by non privileged doctor accounts which reveals sensitive patient information.
Respect Earnt: 1500000
is an experimental cryptocurrency based on the Ethereum blockchain with the mission to show respect to those who deserve it. We are testing it out on our FirstBlood hackevent.