FirstBlood-#568Patient can change his email when he's not supposed to
This issue was discovered on FirstBlood v2

On 2021-10-26, twsec Level 2 reported:

any user who booked an appointment can change his email address.

steps to reproduce:

  1. book an appointment

  2. manage appointment : enter you appointment id

  3. modify the request - intercept in burp, add the drAuth cookie and add the email parameter at the end of the body

initial appointment now we intercept the request and modify it

then manage his appointment again

and we see that his email address has changed.

P3 Medium

Endpoint: /api/ma.php

Parameter: email

Payload: change the email

FirstBlood ID: 33
Vulnerability Type: Application/Business Logic

Our mistake: We did not intentionally leave the code to change emails if the correct values were set, however it created interesting results because most discovered this but missed bug ID 20 and 21 and whilst it was not possible to modify via integer, if the ID was known it would still work.