FirstBlood-#717New doctors unauthorized access to patients management details
This issue was discovered on FirstBlood v2



On 2021-10-27, holybugx Level 5 reported:

Description

Hello Sean,

New doctors do not have access to the Patient Management details due to the application logic. However, this authorization check can be bypassed using a direct POST request to the /drpanel/drapi/qp.php API endpoint.

Steps To Reproduce

  1. Use the drAdmin's account to search for patients and log the requests:

  1. Swap the drAdmin's cookies with a new doctor's cookies and forward the requests:

As observed, new doctors can access patient's information using a direct POST request to the /drpanel/drapi/qp.php API endpoint. The authorization check is only being done on the UI, thus can be bypassed.

Impact

  • Unauthorized access control to patient's PII.

Remediation

  • Implementing proper authorization checks on the /drpanel/drapi/qp.php API endpoint.

Kind Regards,

HolyBugx

P3 Medium

Parameter:

Payload:


FirstBlood ID: 40
Vulnerability Type: Application/Business Logic

The endpoint qp.php use to respond to GET requests and it should only allow administrators to query for patient information however the developers only fixed the bug partially and it still allowed for doctors to query for patient information. query.php is related to this file and in v1 allowed for Doctors and admins, but query.php was fixed completely whereas qp.php was not.

Report Feedback

@zseano

Creator & Administrator


Nice report! We actually made a mistake here and this endpoint should of only been accessible to admins (which it is now if you and try!). However the one with this was, were all admin endpoints locked down? :D