FirstBlood-#106 — An new user account can bypass security and view all patient data
This issue was discovered on FirstBlood v1
On 2021-05-10, xnl-h4ck3r Level 4 reported:
Getting started
Learn about vulnerability types 
Getting started in bug bounties 
Test your knowledge
Free Web Application Challenges
Guides for your hunts 
ZSeano's Methodology
Effective Note Taking for bug bounties
Useful Resources 
Disclosed HackerOne Reports 
Our community
Endorsed Members
Hackevents 
Member Articles
An attacker can create a new user account and access all patient PII data
Summary
It is possible due to a number of vulnerabilities that an attacker is able to register on the app and obtain all patient PII data.
On endpoint /register.php it says:
Note: Doctor accounts are pre-made so please enter your username and invite code to activate your account
- Firstly, it is possible for an attacker to obtain an invite code (e.g. https://www.reddit.com/r/BugBountyHunter/comments/n4xzw1/firstbloodhackerscom_doctor_registration/)
- Secondly, an invite code can be used multiple times so an attacker has the opportunity to make use of one already used.
- Thirdly, an attacker is able to register using any user name, not just a Doctor accpunt that has been pre-made (although likely usernames are on
/doctors.html).
Once registered, the attacker can then access the Manageent panel on /drpanel/index.php. The user is informed with Warning: As your account has been recently registered you will not be able to view patient information yet.
- Firstly, the attacker has access to patients full names who have appointments that day, and who have cancelled appointments.
- Secondly, the attacker is able to use endpoint
/drpanel/drapi/qp.php directly to view PII data of all patients.
- Thirdly, the attacker is able to use endpoint
/drpanel/drapi/query.php directly to view PII of patients who have appointments. An appointment ID has to be passed, but an IDOR exists that allows an attacker to enumerate that.
Steps To Reproduce
- Log in as a new user, and observe the message below:
To query patient data
- To bypass this security, send a GET request to
/drpanel/drapi/query.php with the cookies of the logged in user, and query parameter of aptid=56910619 for example.
- Observe the response with data of a patients appointment:
NOTE: An IDOR exists that means the appt value is 5691???? where ???? is enumerated by adding 137 to the previous value each time.
To query appointment data
- To bypass this security, send a POST request to
/drpanel/drapi/qp.php with the cookies of the logged in user, and post parameter of name=%20.
- Observe the reponse with data of all patients:
Impact
Authorisation controls can be bypassed allowed new users access to patient appointment PII data
P2 High
Endpoint: register.php, /drpanel/drapi/qp.php, /drpanel/drapi/query.php
Parameter: n/a
Payload: n/a
FirstBlood ID: 15
Vulnerability Type: Auth issues
A doctors invite code is leaked on the internet which if used grants anyone access to the doctor portal. The invite code should expire after use.