FirstBlood-#265Critical PII of Patients Leaked to the Public
This issue was discovered on FirstBlood v1



On 2021-05-15, netmous3 Level 4 reported:

Description:

Critical personal identification information of patients of the Firstbloodhacker.com accessible for any person. To gain this access two issues in the web application have to exploit.

  1. Register a rough doctor using the leaked new doctor registration invitation code.
  2. Create a request to the vulnerable endpoint with the cookie values extracted from the doctor portal.
Steps To Reproduce:
Step One: Register a rough doctor using the leaked new doctor registration invitation code.
  1. Copy the invitation code from redit forum.
  2. Visit the new doctor registration portal and enter the invitation code with any attacker's preferred name as the username.
  3. Log in to the internal doctor's portal with the new user and supplied password via #2.
  4. Extract the cookie values from the logged-in portal.
Step Two: Create a request to the vulnerable endpoint with the cookie values extracted from the doctor portal.
  1. Craft a POST request to the vulnerable endpoint as below.
  2. Add the cookie values extracted from the doctor portal from the previous step.
  3. Send the request and observe the response.

    POST /drpanel/drapi/qp.php HTTP/1.1
    Host: firstbloodhackers.com:49730
    User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
    Accept: */*
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 5
    Origin: http://firstbloodhackers.com:49730
    Connection: close Referer: http://firstbloodhackers.com:49730/drpanel/index.php
    Cookie: {value extracted from step 1}

    name=

Impact:

Critical information including the patient's PII data leaked to the public and the Firstbloodhacker may in violation of the GDPR.
However, the impact may be limited as the knowledge of the vulnerable endpoint was not available to the public personals. Secondary validation of newly registered doctors limits the exposure to this PII and the information about the vulnerable endpoint.

P1 CRITICAL

Endpoint: /drpanel/drapi/qp.php

Parameter: name

Payload: NA


FirstBlood ID: 11
Vulnerability Type: Application/Business Logic

Administrator endpoints can be accessed by non privileged doctor accounts which reveals sensitive patient information.