FirstBlood-#221Patient's information can be obtained from a non admin account

On 2021-05-13, d20s84 reported:

Summary : A non admin doctor can view all the patient's information that only a admin user has access to and can grant access to. The only requirement that non admin should have is to submit the above provided endpoints.


  1. Login as a non admin user.
  2. For the two urls use separate methods: 2.1. /drapi/query.php?aptid=56911356 ; Submit this endpoint to the browser and boom the patient's information attached with aptid is accessible.

2.2. /drpanel/drapi/qp.php => submit this endpoint to the browser and intercept the request . Change the request method to POST method . In the body section add name= with no value and submit the request. Boom info to all the patient's information is obtained.


Endpoint: /drapi/query.php?aptid=56911356 ; /drpanel/drapi/qp.php

Parameter: name=

Payload: -

FirstBlood ID: 11
Vulnerability Type: Application/Business Logic

Administrator endpoints can be accessed by non privileged doctor accounts which reveals sensitive patient information.

Respect Earnt: 1500000
RESPECT ($RSP) is an experimental cryptocurrency based on the Ethereum blockchain with the mission to show respect to those who deserve it. We are testing it out on our FirstBlood hackevent.