FirstBlood-#21 — Newly created Doctor account was able to search for patient info via the query api
This issue was discovered on FirstBlood v1
On 2021-05-09, bobbylin Level 4 reported:
A newly created doctor account was able to bypass the restriction to search for a patient information.
We can do a request to get the patient information and bypass the client side restriction in the hospital user portal.
http://firstbloodhackers.com:49219/drpanel/drapi/query.php?aptid=56911630
P1 CRITICAL
Endpoint: /drpanel/drapi/query.php?aptid=56911630
Parameter: aptid
Payload: 56911630
FirstBlood ID: 11
Vulnerability Type: Application/Business Logic
Administrator endpoints can be accessed by non privileged doctor accounts which reveals sensitive patient information.