FirstBlood-#1254 — Stored XSS through Doctors photo URL pn endpoint meet drs.php
This issue was discovered on FirstBlood v3
On 2022-12-09, xnl-h4ck3r Level 4 reported:
AN UPDATE: This doesn't work for drId=3 for some reason, but does work for 1 and 2
There is a stored XSS vulnerability in the doctors photo.
When editing the details of a doctor (which can be done by an Admin, or via a CSRF vuln using a GET request to
/drpanel/drapi/edit-dr.php- see previous report), it is also possible to change the doctors photo via the
photoUrlparameter. It is possible to pass a value that results in a stored XSS on endpoint
Steps to Reproduce
/login/phpand log in as an Admin user.
Click the Modify Doctor button for the first doctor.
Proxy traffic through Burp, and set Intercept On.
Change the POST parameters to include the payload
Now visit endpoint
/meet_drs.phpand observe the XSS payload fires:
Viewing the source of the page, you can see that it is possible to escape the image
FirstBlood ID: 64
Vulnerability Type: Stored XSS
There is a stored XSS vulnerability on meet_drs.php from the photo of the doctor
Creator & Administrator
Congratulations, you were the first user to report this!