FirstBlood-#235 — A Doctor can cancel patient's appointments
This issue was discovered on FirstBlood v1.0.0
On 2021-05-14, twsec Level 2 reported:
after navigating through the web-app we learn that a patient can book his appointment and get a unique random ID for it. This random ID is unguessable. after we create an appointment we notice that the patient can modify his appointment or even cancel it. this is the image for creating an appointment
this is the image for cancelling an appointment
now after we login using the Dradmin credentials and enter the drpanel we can view the appointments and the cancelled ones as well, but we cannot cancel patient's appointment or (can we ? ) . we notice that when we click on a patient's name we get a popup with the details of that patient's appointment; but because we are curious and we like to know what's happening behind the scenes we open up inspector element and check what's happening.
and the getinfo(number) gets our attention , there's a number and diving deeper into it we find that the getinfo function is actually using the drapi/query.php?aptid='aptid', and the normal user is using the /api/qa.php api to retrieve his appointment id details now what if we insert the id from the Drpanel into the normal retrieve appointment screen
it tells us that it's invalid, but what if we enter it inside the qa.php API
now we get the original ID the patient gets when booking his appointment
now we take that id (the long string) and enter it inside the retrieve app or through the ma.php API and cancel the appointment
and that's how a doctor can cancel patient's appointments.
id found in drpanel
just switch the id from drpanel into the /api/qa.php
FirstBlood ID: 6
Vulnerability Type: Insecure direct object reference
The endpoint MA.php (to modify an appointment) will allow for integer values to be used when modifying appointments. A bad cause of security through obscurity was attempted.