FirstBlood-#1090 — Leak doctors private emails and internal data
This issue was discovered on FirstBlood v3
On 2022-12-08, iakdh Level 4 reported:
Getting started
Learn about vulnerability types 
Getting started in bug bounties 
Test your knowledge
Free Web Application Challenges
BugBountyHunter Membership
Guides for your hunts 
ZSeano's Methodology
Effective Note Taking for bug bounties
Useful Resources 
Disclosed HackerOne Reports 
Our community
Endorsed Members
Hackevents 
Member Articles
As described in the homepage, 2 locations of the hospital is private but the endpoint /api/locations.php can leak these locations. Endpoint /api/locations.php take location as parameter and set it as chicago or location can leak the address.
impact:
Steps to reproduce:
- Go to /api/locations.php?location=chicago or /api/locations.php?location=/seattle
- You should see the location from the response
POC:
Impact:
Leak private hospitals' location.
P2 High
Endpoint: /api/locations.php
Parameter: location
Payload: chicago/seattle
FirstBlood ID: 62
Vulnerability Type: Access_control
The endpoint /api/locations?location= leaks the Seattle and Chicago address despite them being listed as PRIVATE on FirstBloodv3
Report Feedback
Creator & Administrator
Congratulations, you were the first user to report this. Great work!