FirstBlood-#279 — A non admin doctor can still view patient information using the api
This issue was discovered on FirstBlood v1
On 2021-05-15, twsec Level 2 reported:
after logging in as non admin doctor we notice that we are not allowed to view patient information.
but using the api **/drapi/query.php?aptid=<idnumber> he can access that info
P2 High
Endpoint: /drapi/query.php?aptid=
Parameter: drapi
Payload: enter the patient information
FirstBlood ID: 11
Vulnerability Type: Application/Business Logic
Administrator endpoints can be accessed by non privileged doctor accounts which reveals sensitive patient information.