FirstBlood-#707Newly created dr accounts can access patient PII via search api
This issue was discovered on FirstBlood v2



On 2021-10-27, 0xsaltyhash Level 3 reported:

Summary:

no check on /drpanel/drapi/qp.php whether the dr account issuing the request is approved or not, if the doctor is trying to use this functionality from the UI he/she will see a prompt saying As your account is new you are unable to search for patients.

but if a malicious dr got hold of the path to the qp endpoint he/she will be able to get patients data.

Steps to reproduce:

  1. Log in to your doctor account.
  2. Issue any request and intercept it via burp proxy.
  3. In the proxy window right click on the request and click change request method
  4. Change the URI Path to /drpanel/drapi/qp.php.
  5. Add a body parameter name and assign it any letter.

  1. Forward the request.

The results on the browser.

You can send the request to repeater and enumerate all patients names and scrape all their PII.

Impact:

Unauthorized Doctor account can access PII of patients because no checks done on the API endpoint assuming attacker cannot possibly know this particular endpoint (employing security through obscurity)

P3 Medium

Endpoint: /drpanel/drapi/qp.php

Parameter: name

Payload: name=jo


FirstBlood ID: 40
Vulnerability Type: Application/Business Logic

The endpoint qp.php use to respond to GET requests and it should only allow administrators to query for patient information however the developers only fixed the bug partially and it still allowed for doctors to query for patient information. query.php is related to this file and in v1 allowed for Doctors and admins, but query.php was fixed completely whereas qp.php was not.