FirstBlood-#1200 — Change doctors images via the admin panel
This issue was discovered on FirstBlood v3
On 2022-12-08, agentmellow Level 3 reported:
Getting started
Learn about vulnerability types 
Getting started in bug bounties 
Test your knowledge
Free Web Application Challenges
Guides for your hunts 
ZSeano's Methodology
Effective Note Taking for bug bounties
Useful Resources 
Disclosed HackerOne Reports 
Our community
Endorsed Members
Hackevents 
Member Articles
It is possible to load another image from the server to any given doctor. This is possible due to the parameter photoUrl.
Steps to reproduce:
- Be authenticated and proxy the request POST /drpanel/drapi/edit-dr.php
- Change profile picture by adding &photoUrl=/images/doctor_4.png to the POST-data of the request (do note that the csrf token must be valid etc)
Maybe I'll edit this report if there's more that meets the eye here :)
Proof of concept:
P4 Low
Endpoint: /drpanel/drapi/edit-dr.php
Parameter: photoUrl
Payload: /images/doctor_4.png
FirstBlood ID: 61
Vulnerability Type: Application/Business Logic
It mentions that doctor photos can NOT be modified but it is actually possible to modify them
Report Feedback
Creator & Administrator
Congratulations, you were the third user to report this!