FirstBlood-#449A User can modify the Email of their appointment despite being disabled for safeguarding reasons
This issue was discovered on FirstBlood v2.0.0 (issues patched)



On 2021-10-25, xnl-h4ck3r Level 4 reported:

Summary

The endpoint MA.php (to modify an appointment) only allows for certain values to be modified, however due to some application logic error, if the user has tried to signup as a doctor and has the cookie "doctorAuthed" set, then it allows them to modify the email address for any appointment. When a user modifies an appointment on /manageappointment.php, the page says For safeguarding reasons you are only able to modify certain information about your appointment. The email address is disabled, but a user can change this by adding the email parameter to the POST request, or by directly including it in the Extra Comments field because of DOM XSS vulnerability.

Steps to Reproduce

This can either be one using a proxy such as Burp, or done by exploiting the Extra Comments field:

Ensure you have cookie doctorAuthed=eyJkb2N0b3JBdXRoIjphdXRoZWR9 (this is obtained from registering, but even if unsuccessful, and the value is BASE64 encoded {"doctorAuth":authed}).

Proxy method

  1. Book an appointment on /book-appointment.html and note down the Appointment ID
  2. Go to /yourappointments.php and enter the Appointment ID, and click RETRIEVE APPOINTMENT
  3. Notice the message For safeguarding reasons you are only able to modify certain information about your appointment. and you are unable to modify the email address.
  4. Proxy traffic through Burp and turn Intercept on
  5. On /manageappointment.php for your appointment, click MODIFY APPPOINTMENT
  6. A POST request to /api/ma.php will be interecpeted, and you can add email=newemailaddress to the request before forwarding.
  7. Now enter your appointment ID again and click RETRIEVE APPOINTMENT
  8. Observe the changed email address.

Extra Comments field exploit

  1. Book an appointment on /book-appointment.html and note down the Appointment ID
  2. Go to /yourappointments.php and enter the Appointment ID, and click RETRIEVE APPOINTMENT
  3. Notice the message For safeguarding reasons you are only able to modify certain information about your appointment. and you are unable to modify the email address.
  4. Enter a value in the Extra Comments field (message) of message&email=newemailaddress and click MODIFY APPPOINTMENT
  5. On /manageappointment.php for your appointment, click MODIFY APPPOINTMENT
  6. Now enter your appointment ID again and click RETRIEVE APPOINTMENT
  7. Observe the changed email address.

Impact

A user is able to bypass safeguard controls for the managemnet of appointments.

P3 Medium

Endpoint: /ma.php

Parameter: email & message

Payload: n/a


FirstBlood ID: 33
Vulnerability Type: Application/Business Logic

Our mistake: We did not intentionally leave the code to change emails if the correct values were set, however it created interesting results because most discovered this but missed bug ID 20 and 21 and whilst it was not possible to modify via integer, if the ID was known it would still work.