There is a commented out snippet of js code on
/drpanel/index.php this code is for changing password of a user, the js code is incomplete but one can fill in the blanks easily.
so i guessed that there is an endpoint
/drpanel/drapi/editpassword.php that accepts a post request and username body parameter, so i tried it and used it on my logged in user and it succeeded so why stop there, i know from v1 that the admin account username is drAdmin so i tried it and indeed i was able to change password of drAdmin and log in successfully.
POST /drpanel/drapi/editpassword.php HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36
me logged in and able to view appointments of patients (which I couldn’t do with my self registered user)
I can takeover any user by just knowing the username.