FirstBlood-#885 — Broken Access Control Leads to Information Leak
This issue was discovered on FirstBlood v2.0.0 (issues patched)
On 2021-10-30, mrrootsec Level 2 reported:
Hello Zseano, Hope you are doing well...
As per the application logic new registered doctor not able to search or view the patient details.It will show You are not authorised to view this. Consult your medical administrator. But through API endpoint we can get the patient data by bypassing frontend restrictions.
Steps to Reproduce the Issue :
- Navigate to https://719f36d6abd3-mrrootsec.a.firstbloodhackers.com/register.php
- Create a new user and Login with the provided credentials
- Go to Search Patient,Enter any search term -> click on Search, application gives an error As your account is new you are unable to search for patients.
If we make POST based request containing name parameter in body to this endpoint https://719f36d6abd3-mrrootsec.a.firstbloodhackers.com/drpanel/drapi/qp.php,we can get the patient details bypassing the front-end restrictions.
- As an attacker using this Vulnerability PII information can be obtained
Remediation / Fix :
- Add Proper Access control to the API Endpoints
- Handle Access Controls At Server-Side
- Enable RBAC (Role Based Access Controls)
Thanks and Regards MOHAMMAD SAQLAIN
FirstBlood ID: 40
Vulnerability Type: Application/Business Logic
The endpoint qp.php use to respond to GET requests and it should only allow administrators to query for patient information however the developers only fixed the bug partially and it still allowed for doctors to query for patient information. query.php is related to this file and in v1 allowed for Doctors and admins, but query.php was fixed completely whereas qp.php was not.