SourceCodester Patients Waiting Area Queue Management System Improper Authorization Vulnerability in Patient Check-In Module

A vulnerability exists in SourceCodester Patients Waiting Area Queue Management System version 1.0, specifically within the Patient Check-In Module. The issue arises in the file '/php/api_patient_checkin.php', where the 'ValidateToken' function is defined but never called. This oversight allows unauthenticated remote attackers to access endpoint handlers for walk-in patient registration and queue record insertion without any credentials or authorization. The vulnerability can be exploited through the application's user interface by any anonymous user with network access to the server.

Impact

Exploitation of this vulnerability allows for improper authorization, enabling unauthorized access to patient check-in and queue management functions. This could lead to the insertion of fake entries into the clinical queue, causing real patients to be skipped and disrupting hospital operations. Such actions could create a patient safety risk by obscuring genuine queue records with fraudulent ones.

Reproduction

The vulnerability can be reproduced by sending a POST request to '/php/api_patient_checkin.php' without an Authorization header. This can be done using tools like curl or Postman. The request must include the 'type' parameter set to 'walk-in', along with other required fields such as 'patientId', 'appointmentType', 'additionalinfo', and 'termsAgreement'. Once the request is sent, the response will indicate a successful check-in without any authentication, and a queue record will be created.

Remediation

To address this vulnerability, the 'ValidateToken' function should be integrated into the beginning of each request handler in the 'api_patient_checkin.php' file. This will ensure that proper authentication is enforced before processing any check-in or queue-related actions.