FirstBlood-#515 — Non-admin doctor account can use qp.php API
This issue was discovered on FirstBlood v2
On 2021-10-26, kinako Level 5 reported:
Dear FirstBlood security team, I found a vulnerability on your service.
I hope this report will help you.
Summary
A recently registered doctor account cannot use API in qp.php.
If we try to use it, then we can see these message:
However, actually a recently registered doctor account can use this API IF THEY KNOW THIS API ENDPOINT
Vulnerability Description(PoC)
In this cause, I prepare these session cookies.
drAdmin's session cookie: cf4bc28b24aa99301ea22c7a2
recently registered doctor: 2fa2c7043c5986daadf806727
To ensure, I took a screenshot of recently registered doctor.
Next, we can see drAdmin's session works correctly if we use it against qp.php API.
However, if we set a recently registered doctor's session, then still works correctly!
This seems a bug.
Impact
- a recently registered doctor can see patient information without any approval or authorization
Regards,
kinako
P3 Medium
Endpoint: /drpanel/drapi/qp.php
Parameter: Nay
Payload: Nay
FirstBlood ID: 40
Vulnerability Type: Application/Business Logic
The endpoint qp.php use to respond to GET requests and it should only allow administrators to query for patient information however the developers only fixed the bug partially and it still allowed for doctors to query for patient information. query.php is related to this file and in v1 allowed for Doctors and admins, but query.php was fixed completely whereas qp.php was not.