FirstBlood-#829 — Deleted doctor account can be used to access private user information of paient
This issue was discovered on FirstBlood v2.0.0 (issues patched)
On 2021-10-29, vishal Level 2 reported:
Description: Deleted doctor account can be used to access private user information of patient .
Note: If you find this report not digestible then please consider going through the report's i have added in reference.
Steps to Reproduce:
- In previous report . I have discussed how admin endpoint can be accessed by non-admin newly registered doctor to see private information of doctor's. ( report can be seen https://www.bugbountyhunter.com/hackevents/report?id=824 here)
- I have also discovered that first account get deleted or deactivated just after registering another account with same invite code.
- Now is the time to use information of both Create a post request to admin endpoint /drpanel/drapi/qp.php with the drps cookie of deleted account. Just like the request i have added below.
POST /drpanel/drapi/qp.php HTTP/1.1 Host: d286a567fc45-vishal.a.firstbloodhackers.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 5 Origin: https://d286a567fc45-vishal.a.firstbloodhackers.com Connection: close Referer: https://d286a567fc45-vishal.a.firstbloodhackers.com/drpanel/index.php Cookie: drps=153a1070aa9259acbf3446994 Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin name=
Note:- this endpoint should require admin cookie as this page have sensitive info. but to my surprise first i was able to access it with new doctor cookie & now I'm able to access it with cookie of deleted doctor account .
In response below private information of patient can be seen.
Note:- endpoint didn't work without cookie or if wrong drps cookie used. although I was able to get patient info with deleted account cookie.
Let me know, if anything missing or further information is required.
Thanks and Regards - Vishal
FirstBlood ID: 40
Vulnerability Type: Application/Business Logic
The endpoint qp.php use to respond to GET requests and it should only allow administrators to query for patient information however the developers only fixed the bug partially and it still allowed for doctors to query for patient information. query.php is related to this file and in v1 allowed for Doctors and admins, but query.php was fixed completely whereas qp.php was not.