FirstBlood-#1804Appointment UUIDs leaked through new ambulances API endpoint
This issue was discovered on FirstBlood v3



On 2022-12-17, 0xblackbird Level 5 reported:

Summary:

Hi

I found out that the /api/ambulances.php discloses UUIDs + private data of all appointments made (where ambulance was set to 1 during booking). This should not be possible for unprivileged users.

Possible cause:

The developers may have added the all keyword for debugging purposes but forgot about it somehow.

Impact:

I was able to reveal the all the private appointment's data + UUID (this allows me to modify them for example). This shouldn't be possible.

Steps to reproduce:

1) After visiting /api/ambulances.php?select=all for example, we can find the full location in the response

Mitigation

I recommend removing all keyword from this endpoint for unprivileged users.

Have a nice day!

Kind regards,

0xblackbird

P2 High

Endpoint: /api/ambulances.php

Parameter: select

Payload: all


FirstBlood ID: 71
Vulnerability Type: Information leak/disclosure

The endpoint /api/ambulances.php leaks patient information if the parameter ?select=all is supplied