FirstBlood-#221 — Patient's information can be obtained from a non admin account
This report has been reviewed and accepted as a valid vulnerability on FirstBlood!
On 2021-05-13, d20s84 reported:
A non admin doctor can view all the patient's information that only a admin user has access to and can grant access to. The only requirement that non admin should have is to submit the above provided endpoints.
- Login as a non admin user.
- For the two urls use separate methods:
2.1. /drapi/query.php?aptid=56911356 ; Submit this endpoint to the browser and boom the patient's information attached with aptid is accessible.
2.2. /drpanel/drapi/qp.php => submit this endpoint to the browser and intercept the request . Change the request method to POST method . In the body section add name= with no value and submit the request. Boom info to all the patient's information is obtained.
This report has been publicly disclosed for everyone to view
/drapi/query.php?aptid=56911356 ; /drpanel/drapi/qp.php
FirstBlood ID: 11
Vulnerability Type: Application/Business Logic
Administrator endpoints can be accessed by non privileged doctor accounts which reveals sensitive patient information.
Respect Earnt: 1500000
is an experimental cryptocurrency based on the Ethereum blockchain with the mission to show respect to those who deserve it. We are testing it out on our FirstBlood hackevent.