BugBountyHunter

Description:

Critical personal identification information of patients of the Firstbloodhacker.com accessible for any person. To gain this access two issues in the web application have to exploit.

1. Register a rough doctor using the leaked new doctor registration invitation code.
2. Create a request to the vulnerable endpoint with the cookie values extracted from the doctor portal.

Steps To Reproduce:

Step One: Register a rough doctor using the leaked new doctor registration invitation code.

1. Copy the invitation code from redit forum.
2. Visit the new doctor registration portal and enter the invitation code with any attacker's preferred name as the username.
3. Log in to the internal doctor's portal with the new user and supplied password via #2.
4. Extract the cookie values from the logged-in portal.

Step Two: Create a request to the vulnerable endpoint with the cookie values extracted from the doctor portal.

1. Craft a POST request to the vulnerable endpoint as below.
2. Add the cookie values extracted from the doctor portal from the previous step.

3. Send the request and observe the response.

   POST /drpanel/drapi/qp.php HTTP/1.1
Host: firstbloodhackers.com:49730
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 5
Origin: http://firstbloodhackers.com:49730
Connection: close Referer: http://firstbloodhackers.com:49730/drpanel/index.php
Cookie: {value extracted from step 1}

   name=

Impact:

Critical information including the patient's PII data leaked to the public and the Firstbloodhacker may in violation of the GDPR.
However, the impact may be limited as the knowledge of the vulnerable endpoint was not available to the public personals. Secondary validation of newly registered doctors limits the exposure to this PII and the information about the vulnerable endpoint.