FirstBlood-#279A non admin doctor can still view patient information using the api
This issue was discovered on FirstBlood v1



On 2021-05-15, twsec Level 2 reported:

after logging in as non admin doctor we notice that we are not allowed to view patient information.

but using the api **/drapi/query.php?aptid=<idnumber> he can access that info

P2 High

Endpoint: /drapi/query.php?aptid=

Parameter: drapi

Payload: enter the patient information


FirstBlood ID: 11
Vulnerability Type: Application/Business Logic

Administrator endpoints can be accessed by non privileged doctor accounts which reveals sensitive patient information.