FirstBlood-#217 — IDOR in Search Patient Functionality Leads to PII Leakage
This issue was discovered on FirstBlood v1
On 2021-05-12, smhtahsin33 Level 3 reported:
Hello, If we try to query names it shows
As your account is new you are unable to search for patients.but can be bypassed by directly querying the api endpoint with a lower privileged account.
Steps To Reproduce:
- Make a
POSTrequest to /drpanel/drapi/qp.php with a
nameparameter in it
- Must put
Content-Type: application/x-www-form-urlencodedin the request
- You can see a
200 OKresponse with patients PII information in it.
Impact: Privilege Escalation
FirstBlood ID: 11
Vulnerability Type: Application/Business Logic
Administrator endpoints can be accessed by non privileged doctor accounts which reveals sensitive patient information.