FirstBlood-#456 — [COLLAB with isitbug] Stored XSS via cancelled appointment's message that executes on doctors
This issue was discovered on FirstBlood v2
On 2021-10-25, shreky Level 5 reported:
Summary
Same bug as last time again,via a cancelled appointment's message it's possible to exploit a Stored XSS that fires on /drpanel/cancelled.php when accessed by admins/doctors.
Steps to reproduce
- Make an appointment
- Cancel it and intercept the request,and add
&message="><svg/onload=confirm`1`>
in the POST param and Send
It should look like this:
act=cancel&id=2f3ddc87-1eea-4b64-8862-8d21e1df07c3&message="><svg/onload=confirm`1`>
- Now,as a doctor,go to Cancelled appointments from the dashboard
- XSS will execute
Impact
Stored XSS that affects any doctor/admin that accesses /drpanel/cancelled.php.
PoC -->
P2 High
Endpoint: /drpanel/cancelled.php
Parameter: message
Payload: "><svg/onload=confirm`1`>
FirstBlood ID: 22
Vulnerability Type: Stored XSS
Whilst an attempt was made to fix the stored XSS vulnerability in managing an appointment, it actually introduced new issues such as when creating and editing and not just when cancelling the appointment. Making use of htmlentities() and relying on .value() in javascript to encode certain characters does not prevent XSS overall. The 'fix' to this issue also results in it being vulnerable to admins on cancelled appointments as well.