FirstBlood-#64Modification of the appointement's data - Collaboration with Jomar
This issue was discovered on FirstBlood v1

On 2021-05-09, serizao Level 2 reported:

bug and exploit

Hello :),

It is possible to create a appointement on the site. For this purpose several data are required:

Once the payment is created, the site sends us back an id. This id is used later to access the data entered. It is also possible to change the comment.

The fields full name, full address, Patient email and allergies do not seem to be editable because the input fields have the disabled property

The modification request contains only the message parameter. However by replaying the request with the missing parameter names it is possible to modify them. For example email is disabled but if we replay the request with the missing parameter, then it is possible to see the modified email

to perform this exploit cookie doctorAuthed=eyJkb2N0b3JBdXRoIjphdXRoZWR9 must be set with this value this exploit can be chained with jomar rtepport : [COLLAB] Modification of the messages of a reservation via an IDOR and so GUID is not needed only id

original request:

original data :

modified request:

modified data :


This could allow a malicious person to take control of someone's reservation in order to take their place in the consultation

how to fix

In order to correct this, it is advised to take into account only the parameters allowed for modification here, only message and id should be taken into account the other parameters should not even be parsed

P2 High


Parameter: N.A.

Payload: justre add parameter

FirstBlood ID: 7
Vulnerability Type: Application/Business Logic

The endpoint MA.php (to modify an appointment) only allows for certain values to be modified, however due to some application logic error, if the user has tried to signup as a doctor and has the cookie "doctorAuthed" set, then it allows them to modify the email address for any appointment.