FirstBlood-#221 — Patient's information can be obtained from a non admin account
This issue was discovered on FirstBlood v1
On 2021-05-13, d20s84 Level 3 reported:
Getting started
Learn about vulnerability types 
Getting started in bug bounties 
Test your knowledge
Free Web Application Challenges
Guides for your hunts 
ZSeano's Methodology
Effective Note Taking for bug bounties
Useful Resources 
Disclosed HackerOne Reports 
Our community
Endorsed Members
Hackevents 
Member Articles
Summary :
A non admin doctor can view all the patient's information that only a admin user has access to and can grant access to. The only requirement that non admin should have is to submit the above provided endpoints.
Steps:
- Login as a non admin user.
- For the two urls use separate methods:
2.1. /drapi/query.php?aptid=56911356 ; Submit this endpoint to the browser and boom the patient's information attached with aptid is accessible.
2.2. /drpanel/drapi/qp.php => submit this endpoint to the browser and intercept the request . Change the request method to POST method . In the body section add name= with no value and submit the request. Boom info to all the patient's information is obtained.
P1 CRITICAL
Endpoint: /drapi/query.php?aptid=56911356 ; /drpanel/drapi/qp.php
Parameter: name=
Payload: -
FirstBlood ID: 11
Vulnerability Type: Application/Business Logic
Administrator endpoints can be accessed by non privileged doctor accounts which reveals sensitive patient information.