FirstBlood-#53Un-Authorized users can access "/drpanel/drapi/qp.php" endpoint and access users PII [COLLAB]
This issue was discovered on FirstBlood v1.0.0



On 2021-05-09, holybugx Level 5 reported:

Description

Hello Sean,

I found out that Unauthorized users can query for every patient they want using the /drpanel/drapi/qp.php endpoint, this leads to unauthorized access to the user's PII such as name, telephone, address, DOB.

Steps to reproduce

I found out that doctors can query for their patients using the /drpanel/drapi/qp.php endpoint, when they query for a patient's name they will be given his information that is used to verify a patient over the phone.

If a doctor query for a patient using the "Search Patient" button in their panel, a POST request is sent to the /drpanel/drapi/qp.php API endpoint, and the data is returned in their portal:

Here is the POST request being made to the server:

I found out that changing the POST request to GET will result in the following URL endpoint, which can be used to fetch the data of patients:

http://firstbloodhackers.com/drpanel/drapi/qp.php?name=Sean

However, any unauthorized user can use this API endpoint to query for patient names and their PII.

An attacker doesn't need to know the name of the patients to query for. if the name parameter is empty all of the patient's data returns:

Impact

Critical PII Leakage

Kind Regards,

HolyBugx

P1 CRITICAL

Parameter:

Payload:


FirstBlood ID: 12
Vulnerability Type: Auth issues

If the request method is changed from POST to GET, then the endpoint /drapi/qp.php becomes available to ANY user due to an application logic error

Report Feedback

@zseano

Creator & Administrator


Great finding!