Online Hospital Management System Insecure Direct Object Reference Vulnerability in Doctor Timings Management

A vulnerability allowing Insecure Direct Object Reference (IDOR) has been identified in the Online Hospital Management System version 1.0. The issue arises in the file viewdoctortimings.php, where the delid parameter is processed without proper ownership verification. This flaw enables low-privileged users to delete doctor timing records belonging to other doctors. The deletion is executed without session validation, potentially allowing unauthenticated users to perform the action remotely.

Impact

Exploitation of this vulnerability allows for the unauthorized deletion of doctor scheduling records, leading to appointment conflicts and disruption of hospital operations. It could also be exploited to delete all doctor timings from the system, causing significant data loss and operational challenges.

Reproduction

To reproduce this vulnerability, log into the application as a doctor. Navigate to the viewdoctortimings.php file and use Burp Suite to intercept the request. Change the delid parameter to reference a timing record belonging to another doctor. Once the request is sent, the record will be deleted without authorization. This vulnerability can also be exploited by directly accessing the viewdoctortimings.php file without a valid session, allowing for the deletion of records without any login credentials.

Remediation

To address this vulnerability, implement server-side ownership verification before executing deletion requests. Ensure that the logged-in doctor's ID matches the owner of the timing record being deleted. Additionally, enforce session validation for sensitive operations, use POST requests for deletion actions, and apply the principle of least privilege to database user permissions.