Author: captain-noob
Vendor: PHPGurukul (https://phpgurukul.com/)
Software: Hospital Management System In PHP(https://phpgurukul.com/hospital-management-system-in-php)
The Hospital Management System (HMS) allows users to register as patients and provides separate logins for doctors and admins. However, the system does not have proper session management in place, making it vulnerable to session hijacking. An attacker can register as a patient and obtain a valid session token. With this token, the attacker can then access the Doctor and Admin panels without any authentication credentials. This vulnerability can be exploited to perform privilege escalation, enabling the attacker to access sensitive areas of the system beyond their intended privileges.
An attacker can exploit this vulnerability to gain unauthorized access to sensitive areas of the system, such as patient records or administrative functions. This could potentially result in a data breach or other serious security incidents
1. Install The Hospital Management System
2. Navigate to the Patient Login page (http://<domain:port>/hms/user-login.php).
3. Click on create an account and register a patient (http://<domain:port>/hms/registration.php)
4. Once patient is created, navigate to login page and login with the credientials.
5. After successuful login Navigate to Doctor dashboard (http://<domain:port>/hms/doctor/dashboard.php). Observe that without any authentication credientials attacker got access to doctor dashboard.
6.Similarly, try to access the Admin dashboard at http://domain:port/hms/admin/dashboard.php. Again, note that the attacker is able to access the dashboard without any admin credentials.
The system should implement proper session management to prevent session hijacking and privilege escalation. Specifically, the system should assign a specific role to each user upon registration and verify the role before allowing access to sensitive areas of the system. Additionally, the system should implement a mechanism to invalidate sessions upon logout or after a period of inactivity.
For example, you could use the following code to set the role of the user upon login:
// login as a patient
$_SESSION['role'] = 'patient';
// login as a doctor
$_SESSION['role'] = 'doctor';
// login as an admin
$_SESSION['role'] = 'admin';
Then, in the session check code, you can verify if the user has the correct role before allowing them access to the doctor or admin panel. Here's an example code:
if(!isset($_SESSION['role']) || $_SESSION['role'] !== 'doctor' || $_SESSION['role'] !== 'admin') {
header('location:logout.php');
} else{
//login function
}