FirstBlood-#814Auth issue allowing a new doctor to view all appointment details that should require admin access
This issue was discovered on FirstBlood v2



On 2021-10-28, xnl-h4ck3r Level 4 reported:

Summary

On /drpanel/index.php, the Search Patient functionality is only supposed to be available for Admin users, not new doctors. However,, a new doctor can use the /drpanel/drapi/qp.php endpoint directly to search for all patient PII that they shouldn't have access to. This was a vulnerablility in version 1 but doesn't seem to have been fixed.

Steps to reproduce

  1. Regsiter as a new doctor and log in.

  2. On the /drpanel/index.php endpoint, click the Search Patient menu option and click Search. Observe the error message to say your user does not have access to do this:

  3. Go to Burp and create a POST request to /drpanel/drapi/qp.php with your users cookie and parameter of name= to get details of all appointments:

Impact

A new user can view details of all appointments even though they should not be authorised to view that.

P3 Medium

Endpoint: /drpanel/drapi/qp.php

Parameter: name

Payload: blank


FirstBlood ID: 40
Vulnerability Type: Application/Business Logic

The endpoint qp.php use to respond to GET requests and it should only allow administrators to query for patient information however the developers only fixed the bug partially and it still allowed for doctors to query for patient information. query.php is related to this file and in v1 allowed for Doctors and admins, but query.php was fixed completely whereas qp.php was not.