FirstBlood-#1254Stored XSS through Doctors photo URL pn endpoint meet drs.php
This issue was discovered on FirstBlood v3

On 2022-12-09, xnl-h4ck3r Level 4 reported:

AN UPDATE: This doesn't work for drId=3 for some reason, but does work for 1 and 2


There is a stored XSS vulnerability in the doctors photo.

When editing the details of a doctor (which can be done by an Admin, or via a CSRF vuln using a GET request to /drpanel/drapi/edit-dr.php - see previous report), it is also possible to change the doctors photo via the photoUrl parameter. It is possible to pass a value that results in a stored XSS on endpoint /meet_drs.php.

Steps to Reproduce

  1. Go to /login/php and log in as an Admin user.

  2. Click the Modify Doctor button for the first doctor.

  3. Proxy traffic through Burp, and set Intercept On.

  4. Change the POST parameters to include the payload &photoUrl=///xn1"%09onerror=alert(document.domain);///

  5. Now visit endpoint /meet_drs.php and observe the XSS payload fires:

  6. Viewing the source of the page, you can see that it is possible to escape the image src attribute and add a new attribute and arbitrary javascript to fire:


An attacker can make arbitrary javascript calls for anyone that visits the endpoint /meet_drs.php

P2 High

Endpoint: /meet_drs.php

Parameter: photoUrl

Payload: ///xn1"%09onerror=alert(document.domain);///

FirstBlood ID: 64
Vulnerability Type: Stored XSS

There is a stored XSS vulnerability on meet_drs.php from the photo of the doctor

Report Feedback


Creator & Administrator

Congratulations, you were the first user to report this!