FirstBlood-#717 — New doctors unauthorized access to patients management details
This issue was discovered on FirstBlood v2
On 2021-10-27, holybugx Level 5 reported:
Description
Hello Sean,
New doctors do not have access to the Patient Management details due to the application logic. However, this authorization check can be bypassed using a direct POST request to the /drpanel/drapi/qp.php
API endpoint.
Steps To Reproduce
- Use the
drAdmin
's account to search for patients and log the requests:
- Swap the
drAdmin
's cookies with a new doctor's cookies and forward the requests:
As observed, new doctors can access patient's information using a direct POST request to the /drpanel/drapi/qp.php
API endpoint. The authorization check is only being done on the UI, thus can be bypassed.
Impact
- Unauthorized access control to patient's PII.
Remediation
- Implementing proper authorization checks on the
/drpanel/drapi/qp.php
API endpoint.
Kind Regards,
HolyBugx
P3 Medium
Parameter:
Payload:
FirstBlood ID: 40
Vulnerability Type: Application/Business Logic
The endpoint qp.php use to respond to GET requests and it should only allow administrators to query for patient information however the developers only fixed the bug partially and it still allowed for doctors to query for patient information. query.php is related to this file and in v1 allowed for Doctors and admins, but query.php was fixed completely whereas qp.php was not.
Creator & Administrator
Nice report! We actually made a mistake here and this endpoint should of only been accessible to admins (which it is now if you and try!). However the one with this was, were all admin endpoints locked down? :D