FirstBlood-#452[COLLAB with itisbug] Non admin doctor can search patients through api
This issue was discovered on FirstBlood v2



On 2021-10-25, shreky Level 5 reported:

Summary

A non admin patient that shouldn't have permission to search for patients,is able to do so by making a POST request to the API over at /drpanel/drapi/qp.php with the POST parameter name=a(or any value).

Steps to reproduce

  1. As a non admin/new doctor,make a POST request to /drpanel/drapi/qp.php and parameter name like in the image
  2. You'll get back the results

Impact

Non admin doctor can search for patients through API when he isn't meant to do so.This also leads to PII leak of patients.

PoC -->

P3 Medium

Endpoint: /drpanel/drapi/qp.php

Parameter: name

Payload: a


FirstBlood ID: 40
Vulnerability Type: Application/Business Logic

The endpoint qp.php use to respond to GET requests and it should only allow administrators to query for patient information however the developers only fixed the bug partially and it still allowed for doctors to query for patient information. query.php is related to this file and in v1 allowed for Doctors and admins, but query.php was fixed completely whereas qp.php was not.