FirstBlood-#561 — A normal user can change the message in an appointment of another user
This issue was discovered on FirstBlood v2
On 2021-10-26, twsec Level 2 reported:
a normal user can change the message typed for another patient who cancelled his appointment.
- we have 2 users : victim1 and attacker 1, victim1 booked an appointment and cancelled it, while attacker 1 just booked an appointment
this image shows the message left by victim1
- now attacker manages his appointment and click modify but in the request changes the aptid of his own to that of the victim
Note: although the id is unguessable but imagine if an attacker was able to get the aptid in some other way & it's not a good coding practice if this is allowed
- now the message is changed and we can see that in the cancelled section in the drpanel.
P3 Medium
Endpoint: /api/ma.php
Parameter: message
Payload: change the message of the victim
FirstBlood ID: 21
Vulnerability Type: Insecure direct object reference
Not working correctly: The endpoint MA.php was fixed to prevent the use of integer values however whilst it does not require any type of authentication to view normally, it is still vulnerable to IDOR as long as the appointmentID is known. We intended to add another feature which would allow users to convert integer > encrypted ID and this was an over sight on our behalf. This bug doesn't count towards unique finds.
Creator & Administrator
Oops, I did not mean to enter the bounty amount there. Ignore the previous email, sorry! :) Nice find twsec, actually you're the only person so far to discover this. A lot of people have discovered about changing the email with doctorAuthed (as you have), but no-one went further to test if there's any IDOR still if the aptID is known (as it was vulnerable to integer in past). Most stopped there. Nice job!