FirstBlood-#561 — A normal user can change the message in an appointment of another user
This issue was discovered on FirstBlood v2.0.0 (issues patched)
On 2021-10-26, twsec Level 2 reported:
a normal user can change the message typed for another patient who cancelled his appointment.
- we have 2 users : victim1 and attacker 1, victim1 booked an appointment and cancelled it, while attacker 1 just booked an appointment
this image shows the message left by victim1
- now attacker manages his appointment and click modify but in the request changes the aptid of his own to that of the victim
Note: although the id is unguessable but imagine if an attacker was able to get the aptid in some other way & it's not a good coding practice if this is allowed
- now the message is changed and we can see that in the cancelled section in the drpanel.
change the message of the victim
FirstBlood ID: 21
Vulnerability Type: Insecure direct object reference
Not working correctly: The endpoint MA.php was fixed to prevent the use of integer values however whilst it does not require any type of authentication to view normally, it is still vulnerable to IDOR as long as the appointmentID is known. We intended to add another feature which would allow users to convert integer > encrypted ID and this was an over sight on our behalf. This bug doesn't count towards unique finds.