FirstBlood-#81A User can modify the Email of their appointment despite being disabled for safeguarding reasons



On 2021-05-10, xnl-h4ck3r Level 4 reported:

Summary

When a user modifies an appointment on /manageappointment.php, the page says For safeguarding reasons you are only able to modify certain information about your appointment. The email address is disabled, but a user can change this by adding the email parameter to the POST request, or by directly including it in the Extar Comments field because of DOM XSS vulnerability.

Steps to Reproduce

This can either be one using a proxy such as Burp, or done by exploiting the Extra Comments field:

Ensure you have cookie doctorAuthed=eyJkb2N0b3JBdXRoIjphdXRoZWR9 (this is obtained from registering, but even if unsuccessful, and the value is fixed).

Proxy method

  1. Book an appointment on /book-appointment.html and note down the Appointment ID
  2. Go to /yourappointments.php and enter the Appointment ID, and click RETRIEVE APPOINTMENT
  3. Notice the message For safeguarding reasons you are only able to modify certain information about your appointment. and you are unable to modify the email address.
  4. Proxy traffic through Burp and turn Intercept on
  5. On /manageappointment.php for your appointment, click MODIFY APPPOINTMENT
  6. A POST request to /api/ma.php will be interecpeted, and you can add email=newemailaddress to the request before forwarding.
  7. Now enter your appointment ID again and click RETRIEVE APPOINTMENT
  8. Observe the changed email address.

Extra Comments field exploit

  1. Book an appointment on /book-appointment.html and note down the Appointment ID
  2. Go to /yourappointments.php and enter the Appointment ID, and click RETRIEVE APPOINTMENT
  3. Notice the message For safeguarding reasons you are only able to modify certain information about your appointment. and you are unable to modify the email address.
  4. Enter a value in the Extra Comments field (message) of message&emai=newemailaddress and click MODIFY APPPOINTMENT
  5. On /manageappointment.php for your appointment, click MODIFY APPPOINTMENT
  6. Now enter your appointment ID again and click RETRIEVE APPOINTMENT
  7. Observe the changed email address.

Impact

A user is able to bypass safeguard controls for the managemnet of appointments.

P2 High

Endpoint: /api/ma.php

Parameter: email, message

Payload: n/a


FirstBlood ID: 7
Vulnerability Type: Application/Business Logic

The endpoint MA.php (to modify an appointment) only allows for certain values to be modified, however due to some application logic error, if the user has tried to signup as a doctor and has the cookie "doctorAuthed" set, then it allows them to modify the email address for any appointment.


Respect Earnt: 1.5M
RESPECT ($RSP) is an experimental cryptocurrency based on the Ethereum blockchain with the mission to show respect to those who deserve it. We are testing it out on our FirstBlood hackevent.