FirstBlood-#53 — Un-Authorized users can access "/drpanel/drapi/qp.php" endpoint and access users PII [COLLAB]
This issue was discovered on FirstBlood v1
On 2021-05-09, holybugx Level 5 reported:
Getting started
Learn about vulnerability types 
Getting started in bug bounties 
Test your knowledge
Free Web Application Challenges
BugBountyHunter Membership
Guides for your hunts 
ZSeano's Methodology
Effective Note Taking for bug bounties
Useful Resources 
Disclosed HackerOne Reports 
Our community
Endorsed Members
Hackevents 
Member Articles
Description
Hello Sean,
I found out that Unauthorized users can query for every patient they want using the /drpanel/drapi/qp.php endpoint, this leads to unauthorized access to the user's PII such as name, telephone, address, DOB.
Steps to reproduce
I found out that doctors can query for their patients using the /drpanel/drapi/qp.php endpoint, when they query for a patient's name they will be given his information that is used to verify a patient over the phone.
If a doctor query for a patient using the "Search Patient" button in their panel, a POST request is sent to the /drpanel/drapi/qp.php API endpoint, and the data is returned in their portal:
Here is the POST request being made to the server:
I found out that changing the POST request to GET will result in the following URL endpoint, which can be used to fetch the data of patients:
http://firstbloodhackers.com/drpanel/drapi/qp.php?name=Sean
However, any unauthorized user can use this API endpoint to query for patient names and their PII.
An attacker doesn't need to know the name of the patients to query for. if the name parameter is empty all of the patient's data returns:
Impact
Critical PII Leakage
Kind Regards,
HolyBugx
P1 CRITICAL
Parameter:
Payload:
FirstBlood ID: 12
Vulnerability Type: Auth issues
If the request method is changed from POST to GET, then the endpoint /drapi/qp.php becomes available to ANY user due to an application logic error
Report Feedback
Creator & Administrator
Great finding!