FirstBlood-#570 — Applogic at Modifying Appointment Details
This issue was discovered on FirstBlood v2
On 2021-10-26, mrrootsec Level 2 reported:
Getting started
Learn about vulnerability types 
Getting started in bug bounties 
Test your knowledge
Free Web Application Challenges
Guides for your hunts 
ZSeano's Methodology
Effective Note Taking for bug bounties
Useful Resources 
Disclosed HackerOne Reports 
Our community
Endorsed Members
Hackevents 
Member Articles
Hello Zseano,Hope you are doing well
Description :
If we logged in as a doctor user(non-admin),As per application appointment details are limited to edit but if we add extra email parameter we can modify the email too which is not an intended behavior.
Steps to Reproduce the issue :
-
Make an Doctor Appointment here & Copy the Appointment ID [4ee2b78c-c457-491b-be26-72d4dbf7634c ]
https://744d9da56e47-mrrootsec.a.firstbloodhackers.com/book-appointment.php
-
Navigate to Manage Appointment
https://744d9da56e47-mrrootsec.a.firstbloodhackers.com/yourappointments.php
-
Now Provide the Copied ID -> Click on Retrieve Appointment and Edit the Message Click on Modify Appointment by adding extra email parameter into the body
-
You can see the in the Appointment Details email has been changed.
Impact :
- In order to handle appointments, a user can overcome restrictions imposed.
Thanks and Regards
MOHAMMAD SAQLAIN
P3 Medium
Endpoint: /api/ma.php
Parameter: NA
Payload: NA
FirstBlood ID: 33
Vulnerability Type: Application/Business Logic
Our mistake: We did not intentionally leave the code to change emails if the correct values were set, however it created interesting results because most discovered this but missed bug ID 20 and 21 and whilst it was not possible to modify via integer, if the ID was known it would still work.