FirstBlood-#48 — [IDOR] Modifying anyone's Appointment information
This issue was discovered on FirstBlood v1
On 2021-05-09, th4nu0x0 Level 2 reported:
Summary:
-
On firstbloodhackers.com when a user books an Appointment he is only allowed to change Comment's but by adding the email parameter to the post request it is possible to change the email of the appointment.
-
While modifying appointment unique aptid (81b89f14-fd60-47ab-81fd-197b72a43f7e) is used as the identity but normal numerical id (56912589) is also working which can be easily guessed.
-
So by combining these two an attacker can modify other users appointment's Email and Comments.
Steps To Reproduce:
- Create two Appointments and save the id's.
- Login to your admin account, On dashboard you can see the appointments made click 1st appointment and intercept the request there you'll see the numerical id copy it.
- Now visit Manage appointment and enter the 2nd appointment id (eg. 81b89f14-fd60-47ab-81fd-197b72a43f7e)
- Now click Modify appointment and intercept the request and add post parameter
[email protected]
and change the id
to the numerical id of 1st appointment.
- Now check the 1st appointment you'll see this comment and email there.
Impact:
Since the numerical can be easily guessed an attacker can use this to modify other users Appointment's email and comments.
P2 High
Endpoint: /api/ma.php
Parameter: id
Payload: {user-id}
FirstBlood ID: 7
Vulnerability Type: Application/Business Logic
The endpoint MA.php (to modify an appointment) only allows for certain values to be modified, however due to some application logic error, if the user has tried to signup as a doctor and has the cookie "doctorAuthed" set, then it allows them to modify the email address for any appointment.