FirstBlood-#436A doctors invite code is easily guessable and grants anyone access to the doctor portal and patient PII data
This issue was discovered on FirstBlood v2.0.0 (issues patched)



On 2021-10-25, xnl-h4ck3r Level 4 reported:

Summary

It is possible due to a number of vulnerabilities that an attacker is able to register on the app and obtain all patient PII data.

On endpoint /register.php it says: Note: Doctor accounts are pre-made so please enter your username and invite code to activate your account

  • Firstly, an invite code of test is easily guessable while they are testing their new version.
  • Secondly, an invite code can be used multiple times so an attacker has the opportunity to make use of this code even if used before.
  • Thirdly, an attacker is able to register using any user name, not just a Doctor account that has been pre-made (although likely usernames are on /doctors.html).

Once registered, the attacker can then access the Management panel on /drpanel/index.php. The user is informed with Warning: As your account has been recently registered you will not be able to view patient information yet.

The attacker has access to patients full names who have appointments that day, and who have cancelled appointments.

Steps To Reproduce

  1. Go to /register.php, enter a user name and Unique invite code of test
  2. Log in as the new user, and observe the message below:

Impact

Authorisation controls can be bypassed allowed new users access to patient appointment PII data

P3 Medium

Endpoint: /register.php

Parameter: n/a

Payload: test


FirstBlood ID: 24
Vulnerability Type: Auth issues

The old invite code was deleted but when testing FirstBlood v2 the developers accidentally left the test code working.