FirstBlood-#53Un-Authorized users can access "/drpanel/drapi/qp.php" endpoint and access users PII [COLLAB]



On 2021-05-09, holybugx reported:

Description

Hello Sean,

I found out that Unauthorized users can query for every patient they want using the /drpanel/drapi/qp.php endpoint, this leads to unauthorized access to the user's PII such as name, telephone, address, DOB.

Steps to reproduce

I found out that doctors can query for their patients using the /drpanel/drapi/qp.php endpoint, when they query for a patient's name they will be given his information that is used to verify a patient over the phone.

If a doctor query for a patient using the "Search Patient" button in their panel, a POST request is sent to the /drpanel/drapi/qp.php API endpoint, and the data is returned in their portal:

Here is the POST request being made to the server:

I found out that changing the POST request to GET will result in the following URL endpoint, which can be used to fetch the data of patients:

http://firstbloodhackers.com/drpanel/drapi/qp.php?name=Sean

However, any unauthorized user can use this API endpoint to query for patient names and their PII.

An attacker doesn't need to know the name of the patients to query for. if the name parameter is empty all of the patient's data returns:

Impact

Critical PII Leakage

Kind Regards,

HolyBugx

P1 CRITICAL

Parameter:

Payload:


FirstBlood ID: 12
Vulnerability Type: Auth issues

If the request method is changed from POST to GET, then the endpoint /drapi/qp.php becomes available to ANY user due to an application logic error

Report Feedback

@zseano

Creator & Administrator


Great finding!


Respect Earnt: 1500000
RESPECT ($RSP) is an experimental cryptocurrency based on the Ethereum blockchain with the mission to show respect to those who deserve it. We are testing it out on our FirstBlood hackevent.