FirstBlood-#279A non admin doctor can still view patient information using the api

On 2021-05-15, twsec reported:

after logging in as non admin doctor we notice that we are not allowed to view patient information.

but using the api **/drapi/query.php?aptid=<idnumber> he can access that info

P2 High

Endpoint: /drapi/query.php?aptid=

Parameter: drapi

Payload: enter the patient information

FirstBlood ID: 11
Vulnerability Type: Application/Business Logic

Administrator endpoints can be accessed by non privileged doctor accounts which reveals sensitive patient information.

Respect Earnt: 1500000
RESPECT ($RSP) is an experimental cryptocurrency based on the Ethereum blockchain with the mission to show respect to those who deserve it. We are testing it out on our FirstBlood hackevent.