FirstBlood-#554Modifying information on Appointment Form which are not allowed to be modified.
This issue was discovered on FirstBlood v2.0.0 (issues patched)



On 2021-10-26, th4nu0x0 Level 2 reported:

Summary:

  • On Firstbloodhacker.com once a patient created the appointment they are only allowed to modify comments and other fields are not allowed to be modified as mentioned on the page.

  • But by adding email parameter to the body and Cookie: doctorAuthed=eyJkb2N0b3JBdXRoIjphdXRoZWR9 to request header the email can be changed.

  • doctorAuthed=eyJkb2N0b3JBdXRoIjphdXRoZWR9 ==base64=decoded=> doctorAuthed={"doctorAuth":authed}.

Steps To Reproduce:

  • Create a appointment and copy the ID
  • Visit Manage Appointment and enter your ID
  • Now click Modify Appointment and Intercept the request
  • On request header add Cookie: doctorAuthed=eyJkb2N0b3JBdXRoIjphdXRoZWR9
  • On post body add [email protected] and Forward the request.

Impact:

Users can modify email of their appointments which they shouldn't as per the application logic.

P3 Medium

Endpoint: /manageappointment.php

Parameter: email

Payload: doctorAuthed=eyJkb2N0b3JBdXRoIjphdXRoZWR9


FirstBlood ID: 33
Vulnerability Type: Application/Business Logic

Our mistake: We did not intentionally leave the code to change emails if the correct values were set, however it created interesting results because most discovered this but missed bug ID 20 and 21 and whilst it was not possible to modify via integer, if the ID was known it would still work.