FirstBlood-#829Deleted doctor account can be used to access private user information of paient
This issue was discovered on FirstBlood v2.0.0 (issues patched)



On 2021-10-29, vishal Level 2 reported:

Description: Deleted doctor account can be used to access private user information of patient .

Note: If you find this report not digestible then please consider going through the report's i have added in reference.

Steps to Reproduce:

  1. In previous report . I have discussed how admin endpoint can be accessed by non-admin newly registered doctor to see private information of doctor's. ( report can be seen https://www.bugbountyhunter.com/hackevents/report?id=824 here)
  2. I have also discovered that first account get deleted or deactivated just after registering another account with same invite code.
  3. Now is the time to use information of both Create a post request to admin endpoint /drpanel/drapi/qp.php with the drps cookie of deleted account. Just like the request i have added below.
    POST /drpanel/drapi/qp.php HTTP/1.1
    Host: d286a567fc45-vishal.a.firstbloodhackers.com
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0
    Accept: */*
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 5
    Origin: https://d286a567fc45-vishal.a.firstbloodhackers.com
    Connection: close
    Referer: https://d286a567fc45-vishal.a.firstbloodhackers.com/drpanel/index.php
    Cookie: drps=153a1070aa9259acbf3446994
    Sec-Fetch-Dest: empty
    Sec-Fetch-Mode: cors
    Sec-Fetch-Site: same-origin
    name=

    Note:- this endpoint should require admin cookie as this page have sensitive info. but to my surprise first i was able to access it with new doctor cookie & now I'm able to access it with cookie of deleted doctor account .

In response below private information of patient can be seen.

Note:- endpoint didn't work without cookie or if wrong drps cookie used. although I was able to get patient info with deleted account cookie.

Reference :

https://www.bugbountyhunter.com/hackevents/report?id=824 https://www.bugbountyhunter.com/hackevents/report?id=826

Let me know, if anything missing or further information is required.

Thanks and Regards - Vishal

P3 Medium

Endpoint: /drpanel/drapi/qp.php

Parameter: name=

Payload: none


FirstBlood ID: 40
Vulnerability Type: Application/Business Logic

The endpoint qp.php use to respond to GET requests and it should only allow administrators to query for patient information however the developers only fixed the bug partially and it still allowed for doctors to query for patient information. query.php is related to this file and in v1 allowed for Doctors and admins, but query.php was fixed completely whereas qp.php was not.