FirstBlood-#814 — Auth issue allowing a new doctor to view all appointment details that should require admin access
This issue was discovered on FirstBlood v2
On 2021-10-28, xnl-h4ck3r Level 4 reported:
Summary
On /drpanel/index.php
, the Search Patient functionality is only supposed to be available for Admin users, not new doctors. However,, a new doctor can use the /drpanel/drapi/qp.php
endpoint directly to search for all patient PII that they shouldn't have access to.
This was a vulnerablility in version 1 but doesn't seem to have been fixed.
Steps to reproduce
-
Regsiter as a new doctor and log in.
-
On the /drpanel/index.php
endpoint, click the Search Patient menu option and click Search. Observe the error message to say your user does not have access to do this:
-
Go to Burp and create a POST request to /drpanel/drapi/qp.php
with your users cookie and parameter of name=
to get details of all appointments:
Impact
A new user can view details of all appointments even though they should not be authorised to view that.
P3 Medium
Endpoint: /drpanel/drapi/qp.php
Parameter: name
Payload: blank
FirstBlood ID: 40
Vulnerability Type: Application/Business Logic
The endpoint qp.php use to respond to GET requests and it should only allow administrators to query for patient information however the developers only fixed the bug partially and it still allowed for doctors to query for patient information. query.php is related to this file and in v1 allowed for Doctors and admins, but query.php was fixed completely whereas qp.php was not.