FirstBlood-#498 — Stored XSS on /drpanel/cancelled.php can lead to admin account takeover
This issue was discovered on FirstBlood v2
On 2021-10-25, shivam18u Level 3 reported:
Hi Sean,
I found a stored XSS on /drpanel/cancelled.php which can lead to admin account takeover.
While cancelling an appointment, the message parameter is not sanitized. We can send out payload and trigger the xss on an admin account.
Steps to reproduce:
1) Create an appointment and then visit the manage appointment page with the appointment id.
2) Start the burp intercept and click on cancel appointment on browser.
3) In the burp intercept, modify the request body and add a message
parameter with payload "><script>alert(document.cookie)</script>
. Send the request.
4) In admin panel, you can see the payload triggering and alert box popping on the cancelled.php page. Since the cookies are not httponly, they can be stolen using javascript.
Have a nice day!
P2 High
Endpoint: /drpanel/cancelled.php
Parameter: message
Payload: "><script>alert(document.cookie)</script>
FirstBlood ID: 22
Vulnerability Type: Stored XSS
Whilst an attempt was made to fix the stored XSS vulnerability in managing an appointment, it actually introduced new issues such as when creating and editing and not just when cancelling the appointment. Making use of htmlentities() and relying on .value() in javascript to encode certain characters does not prevent XSS overall. The 'fix' to this issue also results in it being vulnerable to admins on cancelled appointments as well.