FirstBlood-#554 — Modifying information on Appointment Form which are not allowed to be modified.
This issue was discovered on FirstBlood v2.0.0 (issues patched)
On 2021-10-26, th4nu0x0 Level 2 reported:
On Firstbloodhacker.com once a patient created the appointment they are only allowed to modify comments and other fields are not allowed to be modified as mentioned on the page.
But by adding
Cookie: doctorAuthed=eyJkb2N0b3JBdXRoIjphdXRoZWR9to request header the email can be changed.
Steps To Reproduce:
- Create a appointment and copy the ID
- Visit Manage Appointment and enter your ID
- Now click
Modify Appointmentand Intercept the request
- On request header add
- On post body add
[email protected]and Forward the request.
Users can modify email of their appointments which they shouldn't as per the application logic.
FirstBlood ID: 33
Vulnerability Type: Application/Business Logic
Our mistake: We did not intentionally leave the code to change emails if the correct values were set, however it created interesting results because most discovered this but missed bug ID
21 and whilst it was not possible to modify via integer, if the ID was known it would still work.