FirstBlood-#1200Change doctors images via the admin panel
This issue was discovered on FirstBlood v3

On 2022-12-08, agentmellow Level 3 reported:

It is possible to load another image from the server to any given doctor. This is possible due to the parameter photoUrl.

Steps to reproduce:

  1. Be authenticated and proxy the request POST /drpanel/drapi/edit-dr.php
  2. Change profile picture by adding &photoUrl=/images/doctor_4.png to the POST-data of the request (do note that the csrf token must be valid etc)

Maybe I'll edit this report if there's more that meets the eye here :)

Proof of concept:

P4 Low

Endpoint: /drpanel/drapi/edit-dr.php

Parameter: photoUrl

Payload: /images/doctor_4.png

FirstBlood ID: 61
Vulnerability Type: Application/Business Logic

It mentions that doctor photos can NOT be modified but it is actually possible to modify them

Report Feedback


Creator & Administrator

Congratulations, you were the third user to report this!