FirstBlood-#717 — New doctors unauthorized access to patients management details
This issue was discovered on FirstBlood v2.0.0 (issues patched)
On 2021-10-27, holybugx reported:
New doctors do not have access to the Patient Management details due to the application logic. However, this authorization check can be bypassed using a direct POST request to the
Steps To Reproduce
- Use the
drAdmin's account to search for patients and log the requests:
- Swap the
drAdmin's cookies with a new doctor's cookies and forward the requests:
As observed, new doctors can access patient's information using a direct POST request to the
/drpanel/drapi/qp.phpAPI endpoint. The authorization check is only being done on the UI, thus can be bypassed.
- Unauthorized access control to patient's PII.
- Implementing proper authorization checks on the
FirstBlood ID: 40
Vulnerability Type: Application/Business Logic
The endpoint qp.php use to respond to GET requests and it should only allow administrators to query for patient information however the developers only fixed the bug partially and it still allowed for doctors to query for patient information. query.php is related to this file and in v1 allowed for Doctors and admins, but query.php was fixed completely whereas qp.php was not.