FirstBlood-#876New doctor account (limited access) can view patient information through an API call
This issue was discovered on FirstBlood v2



On 2021-10-29, vigilante Level 4 reported:

Summary:

A new doctor should have a limited visibility without being able to see patients private data. This can be bypassed by making a POST request to the /drpanel/drapi/qp.php endpoint.

Steps to Reproduce:

  1. Register as a new doctor on the register page. (note: for this you need to use the "test" unique code).
  2. Log in as a new doctor.
  3. After you log into this account you'll see a message that the search is limited for new accounts:

  1. Send a post request to the 'qp.php' endpoint which can be either bruteforced or in our case we know it from another account (drAdmin).
POST /drpanel/drapi/qp.php HTTP/1.1
Host: ca20e7622a6e-vigilante.a.firstbloodhackers.com
Cookie: doctorAuthed=eyJkb2N0b3JBdXRoIjphdXRoZWR9; drps=b0b1f17cbc0fdc9a9ce23dfdf
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Upgrade-Insecure-Requests: 1
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 5

name=
  1. You will see patients private data even though the new doctor account shouldn't be able to see them.

Supporting Material:

Just to confirm that we're using a new doctor's account in step 4. Notice the cookies on the screenshots in the doctor's panel, it's the same.

Impact

New doctor which should have limited privileges is able to see patients data.

Mitigation

Make sure this endpoint verifies if the user sending the query is authorized to see it.

P3 Medium

Endpoint: /drpanel/drapi/qp.php

Parameter: name=

Payload: *


FirstBlood ID: 40
Vulnerability Type: Application/Business Logic

The endpoint qp.php use to respond to GET requests and it should only allow administrators to query for patient information however the developers only fixed the bug partially and it still allowed for doctors to query for patient information. query.php is related to this file and in v1 allowed for Doctors and admins, but query.php was fixed completely whereas qp.php was not.