Executive Summary

[{'type': 'paragraph', 'content': "The vulnerability is an Insecure Direct Object Reference (IDOR) in the 'Medical History' module of PHPGurukul Hospital Management System version 4.0."}, {'type': 'paragraph', 'content': "Specifically, the application does not verify that the 'viewid' parameter in the URL belongs to the currently authenticated patient."}, {'type': 'paragraph', 'content': "This means that an authenticated user can change the 'viewid' integer in the URL to access confidential medical records of other patients without authorization."}, {'type': 'paragraph', 'content': 'The flaw arises from a lack of session-based access control rather than input sanitization issues.'}] [1]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows unauthorized users to access confidential medical records (Protected Health Information) of other patients.

Such unauthorized access can lead to privacy breaches, exposure of sensitive health information, and potential misuse of that data.

It compromises patient confidentiality and trust in the hospital management system.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': "This vulnerability can be detected by testing the 'Medical History' module of the PHPGurukul Hospital Management System v4.0 for Insecure Direct Object Reference (IDOR) issues. Specifically, after logging in as a patient, you can observe the URL parameter 'viewid' when accessing medical records."}, {'type': 'paragraph', 'content': "To detect the vulnerability, try modifying the 'viewid' parameter in the URL to another integer value corresponding to a different patient ID. If the system returns medical records of other patients without proper authorization, the vulnerability exists."}, {'type': 'list_item', 'content': 'Log in as a patient user.'}, {'type': 'list_item', 'content': "Navigate to the 'Medical History' section and note the URL parameter 'viewid'."}, {'type': 'list_item', 'content': 'Use a tool like curl or a browser to change the \'viewid\' parameter to another value, for example: curl -b cookies.txt "http://target/medical_history.php?viewid=11"'}, {'type': 'list_item', 'content': 'Check if the response contains medical records of a different patient.'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

[{'type': 'paragraph', 'content': "Immediate mitigation steps include implementing proper access control checks on the server side to verify that the 'viewid' parameter belongs to the currently authenticated patient before returning any medical records."}, {'type': 'paragraph', 'content': 'Ensure that the application enforces session-based authorization and does not rely solely on input sanitization to protect sensitive data.'}, {'type': 'list_item', 'content': "Modify the backend code to validate that the requested 'viewid' matches the authenticated user's ID."}, {'type': 'list_item', 'content': 'Restrict direct access to medical records by verifying user permissions on every request.'}, {'type': 'list_item', 'content': 'If possible, apply patches or updates from the vendor addressing this vulnerability.'}, {'type': 'list_item', 'content': "Monitor access logs for suspicious activity involving manipulation of the 'viewid' parameter."}] [1]

Useful 0 Not Useful 0