Summary:

Hi!

I saw that it is still possible to edit data after an appointment is booked and have the changes reflected on the admin's side (/api/qp.php) as well as on the ambulance API (/api/ambulances.php).

QP.php doesn't return the status while the ambulances API do but has a fixed value: attending (even if this wasn't the case, there is a JSON object injection through the name field for example)

Impact:

I'm still able to modify my booking by directly invoking the API. This shouldn't be allowed.

Steps to reproduce:

1) Create a booking over at /book-appointment.php

2) Replicate the following request:

POST /api/ma.php HTTP/1.1
Host: 33de8dfe6bd7-0xblackbird.a.firstbloodhackers.com
Content-Length: 50
Content-Type: application/x-www-form-urlencoded
X-Site-Req: permitted
Name: {name}
Dob: {dob}

act=cancel&id={APPT_ID}

3) Send the request.

4) You can cross-check that the changes were made by invoking the ambulances API for example. To do so, you can simply visit the following endpoint in your web browser: /api/ambulances.php?select={APPT_ID}

5) This will return the modified data

Have a great day!

Kind regards, 0xblackbird