FirstBlood-#392[COLLAB with isitbug] Still able to modify email on appointment
This issue was discovered on FirstBlood v2.0.0 (issues patched)



On 2021-10-25, shreky Level 5 reported:

Summary

When modifying an appointment,its specified that For safeguarding reasons you are only able to modify certain information about your appointment. which only limits the user to modify their message.Previously it was found that the email field could also be modified if the doctorAuthed cookie is set,and that still hasn't changed.
Update: Apart from this,after cancelling an appointment,it's still possible to modify its message via the ma.php endpoint and the changes will be shown on /drpanel/cancelled.php.

Steps to reproduce

  1. Make an appointment
  2. Modify your appointment and add email=changed as an additional POST parameter in the request
  3. The email is gonna get changed too

Impact

Disobeying the following: For safeguarding reasons you are only able to modify certain information about your appointment.(message)

POST Request with added email parameter -->

PoC of changed email -->

P3 Medium

Endpoint: /ma.php

Parameter: email

Payload: changed


FirstBlood ID: 33
Vulnerability Type: Application/Business Logic

Our mistake: We did not intentionally leave the code to change emails if the correct values were set, however it created interesting results because most discovered this but missed bug ID 20 and 21 and whilst it was not possible to modify via integer, if the ID was known it would still work.