FirstBlood-#217IDOR in Search Patient Functionality Leads to PII Leakage



On 2021-05-12, smhtahsin33 reported:

Hello, If we try to query names it shows As your account is new you are unable to search for patients. but can be bypassed by directly querying the api endpoint with a lower privileged account.

Steps To Reproduce:

  1. Make a POST request to /drpanel/drapi/qp.php with a name parameter in it
  2. Must put Content-Type: application/x-www-form-urlencoded in the request
  3. You can see a 200 OK response with patients PII information in it.

Impact: Privilege Escalation

P1 CRITICAL

Endpoint: /drpanel/drapi/qp.php

Parameter: name=

Payload: N/A


FirstBlood ID: 11
Vulnerability Type: Application/Business Logic

Administrator endpoints can be accessed by non privileged doctor accounts which reveals sensitive patient information.


Respect Earnt: 1500000
RESPECT ($RSP) is an experimental cryptocurrency based on the Ethereum blockchain with the mission to show respect to those who deserve it. We are testing it out on our FirstBlood hackevent.