FirstBlood-#679 — Cancelled appointments are still accessible through /manageappointment.php endpoint
This issue was discovered on FirstBlood v2.0.0 (issues patched)
On 2021-10-27, holybugx reported:
The Canceled appointments are not completely canceled. Thus accessible through various API endpoints, which makes it possible for the user to access their canceled appointments and to modify the details.
This issue also exists on FirstBlood V1 and I think should be considered as an Application logic bug. Normally, users shouldn't be able to access their canceled appointments due to the application logic (
invalid appointmenterror on the
/yourappointments.phpendpoint). However, they are still accessible through another API resulting in a bypass to the application logic.
Steps To Reproduce
- Make an appointment using the
- You will be given an appointment ID after doing so:
- Query for your appointment on the
/yourappointments.phpendpoint using your appointment ID:
Cancel Appointmentto cancel your appointment:
- Now if you try querying for your canceled appointment using the
/yourappointments.phpendpoint, you will face an error:
- To bypass this, use your appointment ID in the following URL as the value of the
aptidparameter to access your appointments:
As observed, you can still access the canceled appointment through another API endpoint
/manageappointment.php. This is an application logic bug that implies that the appointments are not canceled completely and are still accessible to the users using various API endpoints.
- Users can still access their canceled appointments and modify the details due to bypassing the application logic.
- Completely remove the appointments after the user's cancellation from various API endpoints.
FirstBlood ID: 44
Vulnerability Type: Application/Business Logic
Whilst there's no security impact, it is possible to manage a cancelled appointment from visiting manageappointment.php with a valid appointmentID. When attempting to view a cancelled appointment view qa.php it will not respond, but manageappointment.php fails to do the checks.