FirstBlood-#814 — Auth issue allowing a new doctor to view all appointment details that should require admin access
This issue was discovered on FirstBlood v2
On 2021-10-28, xnl-h4ck3r reported:
/drpanel/index.php, the Search Patient functionality is only supposed to be available for Admin users, not new doctors. However,, a new doctor can use the
/drpanel/drapi/qp.phpendpoint directly to search for all patient PII that they shouldn't have access to. This was a vulnerablility in version 1 but doesn't seem to have been fixed.
Steps to reproduce
Regsiter as a new doctor and log in.
/drpanel/index.phpendpoint, click the Search Patient menu option and click Search. Observe the error message to say your user does not have access to do this:
Go to Burp and create a POST request to
/drpanel/drapi/qp.phpwith your users cookie and parameter of
name=to get details of all appointments:
A new user can view details of all appointments even though they should not be authorised to view that.
FirstBlood ID: 40
Vulnerability Type: Application/Business Logic
The endpoint qp.php use to respond to GET requests and it should only allow administrators to query for patient information however the developers only fixed the bug partially and it still allowed for doctors to query for patient information. query.php is related to this file and in v1 allowed for Doctors and admins, but query.php was fixed completely whereas qp.php was not.