FirstBlood-#515 — Non-admin doctor account can use qp.php API
This issue was discovered on FirstBlood v2.0.0 (issues patched)
On 2021-10-26, kinako reported:
Dear FirstBlood security team, I found a vulnerability on your service. I hope this report will help you.
A recently registered doctor account cannot use API in qp.php. If we try to use it, then we can see these message:
However, actually a recently registered doctor account can use this API IF THEY KNOW THIS API ENDPOINT
In this cause, I prepare these session cookies.
drAdmin's session cookie:
recently registered doctor:
To ensure, I took a screenshot of recently registered doctor.
Next, we can see drAdmin's session works correctly if we use it against qp.php API.
However, if we set a recently registered doctor's session, then still works correctly!
This seems a bug.
- a recently registered doctor can see patient information without any approval or authorization
FirstBlood ID: 40
Vulnerability Type: Application/Business Logic
The endpoint qp.php use to respond to GET requests and it should only allow administrators to query for patient information however the developers only fixed the bug partially and it still allowed for doctors to query for patient information. query.php is related to this file and in v1 allowed for Doctors and admins, but query.php was fixed completely whereas qp.php was not.