Summary

An attacker is able to reset the password (without being authenticated themselves) of any user on the site as long as they know the username. It was known from Version 1 that the admin user was drAdmin, and therefore an attacker can also reset that users password and gain admin access.

The following commented out code can be found in the /drpanel endpoint if a user is logged in:

   /* to do
 function editpassword(username) {
 var xhr = new XMLHttpRequest();
 xhr.open("POST", '', true);
 xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");

 xhr.onreadystatechange = function() {
     if (this.readyState === XMLHttpRequest.DONE && this.status === 200) {
         alert(this.responseText);
         } else {

         }
     }

 xhr.send();
 } */

This highlights the feature that is in development that can be used to reset passwords.

Steps to reproduce

1. Make a POST request to /drpanel/drapi/editpassword.php with a Content-Type of application/x-www-form-urlencoded and the username paramater in the body of these users password you want to reset, e.g. username=drAdmin

2. Send the request and observe the response that shows the updated password:

3. Log in using the username and new password.

4. Using the excample of username drAdmin, observe that we now have admin access by being able to veiw the details of appointments on /drpanel:

Impact

An attacker can take over any users account (without being authenticated) if they know the username, including admin users and gain access to all patient PII details.