FirstBlood-#48 — [IDOR] Modifying anyone's Appointment information
This report has been reviewed and accepted as a valid vulnerability on FirstBlood!
On 2021-05-09, th4nu0x0 reported:
On firstbloodhackers.com when a user books an Appointment he is only allowed to change Comment's but by adding the email parameter to the post request it is possible to change the email of the appointment.
While modifying appointment unique aptid (81b89f14-fd60-47ab-81fd-197b72a43f7e) is used as the identity but normal numerical id (56912589) is also working which can be easily guessed.
So by combining these two an attacker can modify other users appointment's Email and Comments.
Steps To Reproduce:
- Create two Appointments and save the id's.
- Login to your admin account, On dashboard you can see the appointments made click 1st appointment and intercept the request there you'll see the numerical id copy it.
- Now visit Manage appointment and enter the 2nd appointment id (eg. 81b89f14-fd60-47ab-81fd-197b72a43f7e)
- Now click Modify appointment and intercept the request and add post parameter
[email protected] and change the
id to the numerical id of 1st appointment.
- Now check the 1st appointment you'll see this comment and email there.
Since the numerical can be easily guessed an attacker can use this to modify other users Appointment's email and comments.
This report has been publicly disclosed for everyone to view
FirstBlood ID: 7
Vulnerability Type: Application/Business Logic
The endpoint MA.php (to modify an appointment) only allows for certain values to be modified, however due to some application logic error, if the user has tried to signup as a doctor and has the cookie "doctorAuthed" set, then it allows them to modify the email address for any appointment.
Respect Earnt: 1500000
is an experimental cryptocurrency based on the Ethereum blockchain with the mission to show respect to those who deserve it. We are testing it out on our FirstBlood hackevent.