FirstBlood-#829 — Deleted doctor account can be used to access private user information of paient
This issue was discovered on FirstBlood v2
On 2021-10-29, vishal Level 2 reported:
Getting started
Learn about vulnerability types 
Getting started in bug bounties 
Test your knowledge
Free Web Application Challenges
BugBountyHunter Membership
Guides for your hunts 
ZSeano's Methodology
Effective Note Taking for bug bounties
Useful Resources 
Disclosed HackerOne Reports 
Our community
Endorsed Members
Hackevents 
Member Articles
Description: Deleted doctor account can be used to access private user information of patient .
Note: If you find this report not digestible then please consider going through the report's i have added in reference.
Steps to Reproduce:
- In previous report . I have discussed how admin endpoint can be accessed by non-admin newly registered doctor to see private information of doctor's. ( report can be seen https://www.bugbountyhunter.com/hackevents/report?id=824 here)
- I have also discovered that first account get deleted or deactivated just after registering another account with same invite code.
- Now is the time to use information of both
Create a post request to admin endpoint /drpanel/drapi/qp.php with the drps cookie of deleted account. Just like the request i have added below.
POST /drpanel/drapi/qp.php HTTP/1.1
Host: d286a567fc45-vishal.a.firstbloodhackers.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 5
Origin: https://d286a567fc45-vishal.a.firstbloodhackers.com
Connection: close
Referer: https://d286a567fc45-vishal.a.firstbloodhackers.com/drpanel/index.php
Cookie: drps=153a1070aa9259acbf3446994
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
name=
Note:- this endpoint should require admin cookie as this page have sensitive info. but to my surprise first i was able to access it with new doctor cookie & now I'm able to access it with cookie of deleted doctor account .
In response below private information of patient can be seen.
Note:- endpoint didn't work without cookie or if wrong drps cookie used. although I was able to get patient info with deleted account cookie.
Reference :
https://www.bugbountyhunter.com/hackevents/report?id=824
https://www.bugbountyhunter.com/hackevents/report?id=826
Let me know, if anything missing or further information is required.
Thanks and Regards - Vishal
P3 Medium
Endpoint: /drpanel/drapi/qp.php
Parameter: name=
Payload: none
FirstBlood ID: 40
Vulnerability Type: Application/Business Logic
The endpoint qp.php use to respond to GET requests and it should only allow administrators to query for patient information however the developers only fixed the bug partially and it still allowed for doctors to query for patient information. query.php is related to this file and in v1 allowed for Doctors and admins, but query.php was fixed completely whereas qp.php was not.