FirstBlood-#515Non-admin doctor account can use qp.php API
This issue was discovered on FirstBlood v2



On 2021-10-26, kinako Level 5 reported:

Dear FirstBlood security team, I found a vulnerability on your service. I hope this report will help you.

Summary

A recently registered doctor account cannot use API in qp.php. If we try to use it, then we can see these message:

However, actually a recently registered doctor account can use this API IF THEY KNOW THIS API ENDPOINT

Vulnerability Description(PoC)

In this cause, I prepare these session cookies.

drAdmin's session cookie: cf4bc28b24aa99301ea22c7a2

recently registered doctor: 2fa2c7043c5986daadf806727

To ensure, I took a screenshot of recently registered doctor.

Next, we can see drAdmin's session works correctly if we use it against qp.php API.

However, if we set a recently registered doctor's session, then still works correctly!

This seems a bug.

Impact

  • a recently registered doctor can see patient information without any approval or authorization

Regards, kinako

P3 Medium

Endpoint: /drpanel/drapi/qp.php

Parameter: Nay

Payload: Nay


FirstBlood ID: 40
Vulnerability Type: Application/Business Logic

The endpoint qp.php use to respond to GET requests and it should only allow administrators to query for patient information however the developers only fixed the bug partially and it still allowed for doctors to query for patient information. query.php is related to this file and in v1 allowed for Doctors and admins, but query.php was fixed completely whereas qp.php was not.