FirstBlood-#1200 — Change doctors images via the admin panel
This issue was discovered on FirstBlood v3
On 2022-12-08, agentmellow Level 3 reported:
It is possible to load another image from the server to any given doctor. This is possible due to the parameter photoUrl.
Steps to reproduce:
- Be authenticated and proxy the request POST /drpanel/drapi/edit-dr.php
- Change profile picture by adding &photoUrl=/images/doctor_4.png to the POST-data of the request (do note that the csrf token must be valid etc)
Maybe I'll edit this report if there's more that meets the eye here :)
Proof of concept:
FirstBlood ID: 61
Vulnerability Type: Application/Business Logic
It mentions that doctor photos can NOT be modified but it is actually possible to modify them
Creator & Administrator
Congratulations, you were the third user to report this!