FirstBlood-#221Patient's information can be obtained from a non admin account
This issue was discovered on FirstBlood v1

On 2021-05-13, d20s84 Level 3 reported:

Summary : A non admin doctor can view all the patient's information that only a admin user has access to and can grant access to. The only requirement that non admin should have is to submit the above provided endpoints.


  1. Login as a non admin user.
  2. For the two urls use separate methods: 2.1. /drapi/query.php?aptid=56911356 ; Submit this endpoint to the browser and boom the patient's information attached with aptid is accessible.

2.2. /drpanel/drapi/qp.php => submit this endpoint to the browser and intercept the request . Change the request method to POST method . In the body section add name= with no value and submit the request. Boom info to all the patient's information is obtained.


Endpoint: /drapi/query.php?aptid=56911356 ; /drpanel/drapi/qp.php

Parameter: name=

Payload: -

FirstBlood ID: 11
Vulnerability Type: Application/Business Logic

Administrator endpoints can be accessed by non privileged doctor accounts which reveals sensitive patient information.