FirstBlood-#679Cancelled appointments are still accessible through /manageappointment.php endpoint
This issue was discovered on FirstBlood v2.0.0 (issues patched)



On 2021-10-27, holybugx Level 5 reported:

Description

Hello Sean,

The Canceled appointments are not completely canceled. Thus accessible through various API endpoints, which makes it possible for the user to access their canceled appointments and to modify the details.

This issue also exists on FirstBlood V1 and I think should be considered as an Application logic bug. Normally, users shouldn't be able to access their canceled appointments due to the application logic (invalid appointment error on the /yourappointments.php endpoint). However, they are still accessible through another API resulting in a bypass to the application logic.

Steps To Reproduce

  1. Make an appointment using the /book-appointment.php endpoint:

  • You will be given an appointment ID after doing so:

  1. Query for your appointment on the /yourappointments.php endpoint using your appointment ID:

  1. Use Cancel Appointment to cancel your appointment:

  1. Now if you try querying for your canceled appointment using the /yourappointments.php endpoint, you will face an error:

  1. To bypass this, use your appointment ID in the following URL as the value of the aptid parameter to access your appointments:
https://firstbloodhackers.com/manageappointment.php?success&aptid={aptID}

As observed, you can still access the canceled appointment through another API endpoint /manageappointment.php. This is an application logic bug that implies that the appointments are not canceled completely and are still accessible to the users using various API endpoints.

Impact

  • Users can still access their canceled appointments and modify the details due to bypassing the application logic.

Remediation

  • Completely remove the appointments after the user's cancellation from various API endpoints.

Kind Regards,

HolyBugx

P4 Low

Parameter:

Payload:


FirstBlood ID: 44
Vulnerability Type: Application/Business Logic

Whilst there's no security impact, it is possible to manage a cancelled appointment from visiting manageappointment.php with a valid appointmentID. When attempting to view a cancelled appointment view qa.php it will not respond, but manageappointment.php fails to do the checks.