FirstBlood-#1672Able to delete an ambulance from an appointment
This issue was discovered on FirstBlood v3



On 2022-12-13, didsec Level 5 reported:

Hi there

I found it is possible to delete a ambulance from an appointment via a api call to /api/manageambulances.php

To reproduce :

  1. Visit firstbloodhackers.com/book-appointment.php and fill in the information required to make an appointment
  2. Click Book Appointment and intercept the request
  3. Add &ambulance=1 to the data and forward the request

  1. Take note of the created appointment ID

  1. Visit firstbloodhackers.com/api/ambulances.php?select={appointment ID} and take note of the ambId

  1. Visit firstbloodhackers.com/api/manageambulances.php?ambId={ambId} and intercept the request
  2. Change the request to a DELETE request and forward the request

The ambulance has now been deleted from the appointment. We can check this by visiting firstbloodhackers.com/ambulance.php?apptId={appointment ID} or by making a call to /api/ambulances.php

P2 High


FirstBlood ID: 77
Vulnerability Type: Access_control

Sending an unauthenticated DELETE request to /api/manageambulances.php will cause that ambulance to be deleted

Report Feedback

@zseano

Creator & Administrator


Congratulations you were third to discover this!