FirstBlood-#7PII leak via /drpanel/drapi/qp.php?name=sanjay



On 2021-05-09, codersanjay reported:

Even a non login person can view paatients PII data via below link.

http://firstbloodhackers.com:49224/drpanel/drapi/qp.php?name=sanjay

Impact

PII leak of patient.

Note:empty value in name will give all patient details.

P1 CRITICAL

Endpoint: /drpanel/drapi/qp.php?name=sanjay

Parameter: name

Payload: sanjay


FirstBlood ID: 12
Vulnerability Type: Auth issues

If the request method is changed from POST to GET, then the endpoint /drapi/qp.php becomes available to ANY user due to an application logic error

Report Feedback

@zseano

Creator & Administrator


Nice find codersanjay! You're the first to discover this and this is the very first bounty we've awarded.. congratulations!!!


Respect Earnt: 1000000
RESPECT ($RSP) is an experimental cryptocurrency based on the Ethereum blockchain with the mission to show respect to those who deserve it. We are testing it out on our FirstBlood hackevent.