FirstBlood-#159 — Unauthenticated access to PII data on /drpanel/drapi/qp.php
This issue was discovered on FirstBlood v1
On 2021-05-10, 0xblackbird Level 5 reported:
Getting started
Learn about vulnerability types 
Getting started in bug bounties 
Test your knowledge
Free Web Application Challenges
BugBountyHunter Membership
Guides for your hunts 
ZSeano's Methodology
Effective Note Taking for bug bounties
Useful Resources 
Disclosed HackerOne Reports 
Our community
Endorsed Members
Hackevents 
Member Articles
Hello! I found out that /drpanel/drapi/qp.php reveals sensitive PII data like full name, address, telephone number and date of birth. This can be accessed without being authorised which I think is a privacy issue.
Steps to reproduce
- Visit
/drpanel/drapi/qp.php?name=
- A little list of patients will be returned in the response with PII data.
- We also have a little feature where we can search for names, for example
/drpanel/drapi/qp.php?name=John will return:
Impact
Private data can be access by unauthorised users. This by itself is a privacy violation.
Kind regards,
0xblackbird
P1 CRITICAL
Endpoint: /drpanel/drapi/qp.php
Parameter: name
Payload: {name}
FirstBlood ID: 12
Vulnerability Type: Auth issues
If the request method is changed from POST to GET, then the endpoint /drapi/qp.php becomes available to ANY user due to an application logic error