FirstBlood-#221 — Patient's information can be obtained from a non admin account
This issue was discovered on FirstBlood v1
On 2021-05-13, d20s84 Level 3 reported:
Summary : A non admin doctor can view all the patient's information that only a admin user has access to and can grant access to. The only requirement that non admin should have is to submit the above provided endpoints.
- Login as a non admin user.
- For the two urls use separate methods: 2.1. /drapi/query.php?aptid=56911356 ; Submit this endpoint to the browser and boom the patient's information attached with aptid is accessible.
2.2. /drpanel/drapi/qp.php => submit this endpoint to the browser and intercept the request . Change the request method to POST method . In the body section add name= with no value and submit the request. Boom info to all the patient's information is obtained.
/drapi/query.php?aptid=56911356 ; /drpanel/drapi/qp.php
FirstBlood ID: 11
Vulnerability Type: Application/Business Logic
Administrator endpoints can be accessed by non privileged doctor accounts which reveals sensitive patient information.