FirstBlood-#1475 — Info Leak on api/ambulances.php leads to IDOR on manageappointment
This issue was discovered on FirstBlood v3
On 2022-12-10, twsec Level 2 reported:
Hi Sean,
this report chains 2 vulnerabilities one in /api/ambulances.php and manageappointment.php
steps to reproduce:
1- navigate to /api/ambulances.php
in the request /api/ambulances.php?select= instead of entering an apptid enter the keyword all
thus, the api reveals all the appointment ids it has.
here you can see all the appointment IDs
2- User1 has and id of 63672f98-55af-4df2-9c45-24cebd06efc3 and now after finding all the IDs he decided to cancel all other IDs
User2 has id : 2d747e59-8eea-4c92-81e3-30f6eb68cf74
both are valid and we can make sure of that in yourappointment
3- the malice user1 decides to enter User's 2 ID and cancel his appointment, he does that and after checking the apptid it's invalid
P2 High
FirstBlood ID: 71
Vulnerability Type: Information leak/disclosure
The endpoint /api/ambulances.php leaks patient information if the parameter ?select=all is supplied