FirstBlood-#568 — Patient can change his email when he's not supposed to
This issue was discovered on FirstBlood v2.0.0 (issues patched)
On 2021-10-26, twsec Level 2 reported:
any user who booked an appointment can change his email address.
steps to reproduce:
book an appointment
manage appointment : enter you appointment id
modify the request - intercept in burp, add the drAuth cookie and add the email parameter at the end of the body
initial appointment now we intercept the request and modify it
then manage his appointment again
and we see that his email address has changed.
change the email
FirstBlood ID: 33
Vulnerability Type: Application/Business Logic
Our mistake: We did not intentionally leave the code to change emails if the correct values were set, however it created interesting results because most discovered this but missed bug ID
21 and whilst it was not possible to modify via integer, if the ID was known it would still work.