BugBountyHunter

Description

Hello Sean,

I've just realized that patients can modify their information on the /manageappointment.php endpoint which they shouldn't be able to due to: "safeguarding reasons"

For this to be exploited users need to set the following cookie in their browser or the Cookie header in the HTTP request:

doctorAuthed=eyJkb2N0b3JBdXRoIjphdXRoZWR9

which is the Base-64 encoded version of:

doctorAuth= {"doctorAuth":authed}

Having this cookie in their browser or the Cookie header in the HTTP request makes it possible for them to edit more information on their appointment details besides the comments that are allowed to be changed.

Steps to reproduce

• First of all, you need to make an appointment on the /book-appointment.html endpoint as a low privilege unauthenticated user, an example of such is shown below:

• After doing so you will be given an appointment ID so that later on you can use it to visit your appointment details and to modify or cancel them.

• Now open the /yourappointments.php endpoint and enter the appointment id that you got from the previous step.

• Intercepting the request of the "modify appointment" results in the following HTTP request:

• Add the following cookie to the Cookie header:

doctorAuthed=eyJkb2N0b3JBdXRoIjphdXRoZWR9

so it's going to be like:

Cookie: drps=9b059c14344c91dcb5c358ce6; doctorAuthed=eyJkb2N0b3JBdXRoIjphdXRoZWR9

• Also keep in mind that your drps cookie is different from mine (if exists at all).

• Now you can add other headers and edit them to your desired value:

• Now if you go back to the /manageappointment.php endpoint with your appointment id you can see that your email has been changed:

Impact

• Unauthorized modification of the account information
• Application logic bypass

If you need any further assistance please let me know.

Best regards,

HolyBugx