FirstBlood-#53 — Un-Authorized users can access "/drpanel/drapi/qp.php" endpoint and access users PII [COLLAB]
This issue was discovered on FirstBlood v1
On 2021-05-09, holybugx reported:
I found out that Unauthorized users can query for every patient they want using the
/drpanel/drapi/qp.phpendpoint, this leads to unauthorized access to the user's PII such as
name, telephone, address, DOB.
Steps to reproduce
I found out that doctors can query for their patients using the
/drpanel/drapi/qp.phpendpoint, when they query for a patient's name they will be given his information that is used to verify a patient over the phone.
If a doctor query for a patient using the "Search Patient" button in their panel, a POST request is sent to the
/drpanel/drapi/qp.phpAPI endpoint, and the data is returned in their portal:
Here is the POST request being made to the server:
I found out that changing the POST request to GET will result in the following URL endpoint, which can be used to fetch the data of patients:
However, any unauthorized user can use this API endpoint to query for patient names and their PII.
An attacker doesn't need to know the name of the patients to query for. if the
nameparameter is empty all of the patient's data returns:
Critical PII Leakage
FirstBlood ID: 12
Vulnerability Type: Auth issues
If the request method is changed from POST to GET, then the endpoint /drapi/qp.php becomes available to ANY user due to an application logic error