FirstBlood-#7 — PII leak via /drpanel/drapi/qp.php?name=sanjay
This issue was discovered on FirstBlood v1
On 2021-05-09, codersanjay Level 3 reported:
Even a non login person can view paatients PII data via below link.
http://firstbloodhackers.com:49224/drpanel/drapi/qp.php?name=sanjay
![](https://res.cloudinary.com/bugbountynotes/image/upload/v1620570739/nf3gaq4dsh3j6ggmmavo.png)
Impact
PII leak of patient.
Note:empty value in name will give all patient details.
![](https://res.cloudinary.com/bugbountynotes/image/upload/v1620572510/ldsa2wts5fhermw146rf.png)
P1 CRITICAL
Endpoint: /drpanel/drapi/qp.php?name=sanjay
Parameter: name
Payload: sanjay
FirstBlood ID: 12
Vulnerability Type: Auth issues
If the request method is changed from POST to GET, then the endpoint /drapi/qp.php becomes available to ANY user due to an application logic error
Creator & Administrator
Nice find codersanjay! You're the first to discover this and this is the very first bounty we've awarded.. congratulations!!!