Executive Summary

The vulnerability in the LalanaChami Pharmacy Management System involves API endpoints that lack authentication middleware. This means that unauthenticated remote attackers can access these endpoints without needing to log in or prove their identity.

Specifically, attackers can exploit the /api/user/getUserData endpoint to dump all user records, which include bcrypt password hashes. They can also modify the drug inventory and access private medical prescription data through the /api/doctorOder endpoint.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have serious impacts including unauthorized disclosure of sensitive user information, such as password hashes, which could lead to further account compromises.

Attackers can also alter drug inventory data, potentially disrupting pharmacy operations or causing incorrect medication dispensing.

Additionally, unauthorized access to private medical prescription data can lead to privacy violations and misuse of sensitive health information.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking if the API endpoints /api/user/getUserData and /api/doctorOder are accessible without authentication. An unauthenticated request to these endpoints that returns sensitive data indicates the presence of the vulnerability.

• Use curl or similar HTTP client tools to send GET requests to the endpoints and observe the responses.
• Example commands:
• curl -i http://<target-host>/api/user/getUserData
• curl -i http://<target-host>/api/doctorOder

If these commands return user data, password hashes, or private medical prescription data without requiring authentication, the system is vulnerable.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include implementing authentication middleware on the affected API endpoints to restrict access only to authorized users.

Specifically:

• Add authentication checks to /api/user/getUserData and /api/doctorOder endpoints.
• Ensure that sensitive data such as user records and medical prescriptions are only accessible after proper authentication and authorization.
• Review and update the API codebase to include middleware that enforces these security controls.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows unauthenticated remote attackers to access and dump all user records, including bcrypt password hashes, modify drug inventory, and access private medical prescription data. This exposure of sensitive personal and medical information can lead to non-compliance with data protection regulations such as GDPR and HIPAA, which mandate strict controls over the confidentiality, integrity, and security of personal and health-related data.

Specifically, unauthorized access to private medical prescription data violates HIPAA's requirements for protecting patient health information, while the exposure of user data including password hashes can breach GDPR's mandates on personal data protection and breach notification.

Useful 0 Not Useful 0