FirstBlood-#548[Unpatched] Patient's information can be changed that is not allowed to change by the webapp
This issue was discovered on FirstBlood v2.0.0 (issues patched)



On 2021-10-26, d20s84 Level 3 reported:

Hi again Sean!! I was able to change the patient's information that i am not authorized to change through manage appointment endpoint.

Impact:

Attacker can obtain the aptid and change the info such as email that the attacker is not intended to change.

How?

1.This is what the initial patient info look like.

  1. I put some random string in message and click on manage appointment button and Intercept the request. 3.From past report report?id=540 i was able to obtain the Cookie: doctorAuthed=eyJkb2N0b3JBdXRoIjphdXRoZWR9 header. I integrated it in the request meant to manage the appointment of the patient along with the parameter name value pair that i wanted to change.
  2. I forwarded the request and Boom!!

P3 Medium

Endpoint: /api/ma.php?success&aptid={id}

Parameter: none

Payload: none


FirstBlood ID: 33
Vulnerability Type: Application/Business Logic

Our mistake: We did not intentionally leave the code to change emails if the correct values were set, however it created interesting results because most discovered this but missed bug ID 20 and 21 and whilst it was not possible to modify via integer, if the ID was known it would still work.