FirstBlood-#81 — A User can modify the Email of their appointment despite being disabled for safeguarding reasons
This issue was discovered on FirstBlood v1
On 2021-05-10, xnl-h4ck3r Level 4 reported:
Summary
When a user modifies an appointment on /manageappointment.php
, the page says For safeguarding reasons you are only able to modify certain information about your appointment.
The email address is disabled, but a user can change this by adding the email
parameter to the POST request, or by directly including it in the Extar Comments field because of DOM XSS vulnerability.
Steps to Reproduce
This can either be one using a proxy such as Burp, or done by exploiting the Extra Comments field:
Ensure you have cookie doctorAuthed=eyJkb2N0b3JBdXRoIjphdXRoZWR9
(this is obtained from registering, but even if unsuccessful, and the value is fixed).
Proxy method
- Book an appointment on
/book-appointment.html
and note down the Appointment ID
- Go to
/yourappointments.php
and enter the Appointment ID, and click RETRIEVE APPOINTMENT
- Notice the message For safeguarding reasons you are only able to modify certain information about your appointment. and you are unable to modify the email address.
- Proxy traffic through Burp and turn Intercept on
- On
/manageappointment.php
for your appointment, click MODIFY APPPOINTMENT
- A POST request to
/api/ma.php
will be interecpeted, and you can add email=newemailaddress
to the request before forwarding.
- Now enter your appointment ID again and click RETRIEVE APPOINTMENT
- Observe the changed email address.
Extra Comments field exploit
- Book an appointment on
/book-appointment.html
and note down the Appointment ID
- Go to
/yourappointments.php
and enter the Appointment ID, and click RETRIEVE APPOINTMENT
- Notice the message For safeguarding reasons you are only able to modify certain information about your appointment. and you are unable to modify the email address.
- Enter a value in the Extra Comments field (
message
) of message&emai=newemailaddress
and click MODIFY APPPOINTMENT
- On
/manageappointment.php
for your appointment, click MODIFY APPPOINTMENT
- Now enter your appointment ID again and click RETRIEVE APPOINTMENT
- Observe the changed email address.
Impact
A user is able to bypass safeguard controls for the managemnet of appointments.
P2 High
Endpoint: /api/ma.php
Parameter: email, message
Payload: n/a
FirstBlood ID: 7
Vulnerability Type: Application/Business Logic
The endpoint MA.php (to modify an appointment) only allows for certain values to be modified, however due to some application logic error, if the user has tried to signup as a doctor and has the cookie "doctorAuthed" set, then it allows them to modify the email address for any appointment.