FirstBlood-#452 — [COLLAB with itisbug] Non admin doctor can search patients through api
This issue was discovered on FirstBlood v2
On 2021-10-25, shreky Level 5 reported:
A non admin patient that shouldn't have permission to search for patients,is able to do so by making a POST request to the API over at
/drpanel/drapi/qp.phpwith the POST parameter
name=a(or any value).
Steps to reproduce
- As a non admin/new doctor,make a POST request to
namelike in the image
- You'll get back the results
Non admin doctor can search for patients through API when he isn't meant to do so.This also leads to PII leak of patients.
FirstBlood ID: 40
Vulnerability Type: Application/Business Logic
The endpoint qp.php use to respond to GET requests and it should only allow administrators to query for patient information however the developers only fixed the bug partially and it still allowed for doctors to query for patient information. query.php is related to this file and in v1 allowed for Doctors and admins, but query.php was fixed completely whereas qp.php was not.