PII Information leaked to newly registered Doctor

FirstBlood-#621 — PII Information leaked to newly registered Doctor
This issue was discovered on FirstBlood v2

This report has been reviewed and accepted as a valid vulnerability on FirstBlood!

On 2021-10-26, sumyth Level 2 reported:


Hi,
Please find a brief description of the vulnerability below,
Summary
On firstblood.com, doctors are provided with a functionality to search for patients based on patient name/partial names. The endpoint used is vulnerable in the sense that it allows newly registered doctors to access sensitive PII even though they are now supposed to access this functionality.
Steps to Reproduce:

Use the finding FirstBlood-#618 to create a new doctor account and login. Observe that newly registered doctors are not allowed to search for patient details as shown in screenshot below,

 

Using the finding FirstBlood-#383 and accessing the vulnerable endpoint/ reading the page source, we can easily generate the required request for vulnerable endpoint.




By crafting the request for vulnerable endpoint and keeping the vulnerable parameter value as blank, we observe that all the PII details of patients are revealed to newly registered doctor.


Impact
Authorization issue leads to PII leakage which can let attacker get all the sensitive data and lead to GDPR related issues/fines.

This report has been publicly disclosed for everyone to view

P3 Medium

Endpoint: /drpanel/drapi/qp.php

Parameter: name

Payload: NA

FirstBlood ID: 40
Vulnerability Type: Application/Business Logic

The endpoint qp.php use to respond to GET requests and it should only allow administrators to query for patient information however the developers only fixed the bug partially and it still allowed for doctors to query for patient information. query.php is related to this file and in v1 allowed for Doctors and admins, but query.php was fixed completely whereas qp.php was not.

BugBountyHunter

Summary

Steps to Reproduce:

Impact