Summary:

Hi

It appeared to me that there are no checks on the backend regarding whether a doctor is available or not. This allows anyone to book an unavailable doctor at any time.

Possible cause:

I suspect that the developers thought that, as there was no way to specify a doctor's ID (using the web UI), it shouldn't be possible to select an unavailable doctor. These kinds of underestimations are made a lot during development.

Impact:

I'm able to make an appointment with an unavailable doctor. This can cause inconvenience and misunderstanding among the management team.

Steps to reproduce:

1) Visit /book-appointment.php#doctor=1 (ID 1 is by default unavailable). 2) Fill in the form and submit it. 3) As you can see below, our appointment was made successfully:

4) To cross-check this, we could visit /manageappointment.php?success&aptid={GUID}, this would return back our previously selected doctor:

Mitigation:

I recommend placing a check on the backend to see if the doctor is available. If not, the request must be rejected (or another doctor must be assigned).

Have a nice day!

Kind regards,

0xblackbird