FirstBlood-#830 — Patients can still change their application email
This issue was discovered on FirstBlood v2
On 2021-10-29, 0x1452 Level 3 reported:
In the previous version it was reported that patients were able to edit their email on applications if the
doctorAuthed=eyJkb2N0b3JBdXRoIjphdXRoZWR9cookie was present. This cookie is automatically set after trying to register, even if it fails.
This issue is still present and the UI still tells us that we're not supposed to be allowed to edit our email:
Steps to reproduce
- Try to register at
/register.php(doesn't matter if it's valid or not). Alternatively, set the cookie
- Book an appointment at
- Copy the appointment ID and submit it at
- Notice that the UI only lets you edit your message. Click on Modify Appointment.
- Repeat the request to
/api/ma.phpin a tool like Burp but add the parameter
email=whateverto the body
- Repeat step 3 or directly navigate to
/manageappointment.php?success&aptid=:aptidand notice that the email got changed to
FirstBlood ID: 33
Vulnerability Type: Application/Business Logic
Our mistake: We did not intentionally leave the code to change emails if the correct values were set, however it created interesting results because most discovered this but missed bug ID
21 and whilst it was not possible to modify via integer, if the ID was known it would still work.