FirstBlood-#1459It is possible to bypass relative URL by using triple forward slashes on photoURL and load external images
This issue was discovered on FirstBlood v3



On 2022-12-10, 0xblackbird Level 5 reported:

Summary:

Hi

In my previous report, I and @Ayush1098 found out that it was possible to change profile photo of other doctors using the photoUrl parameter. However, I noticed that the // gets replaced by a /. So by providing a /// we can link images from external hosts as the profile photo of other doctors.

I'm unsure if this should be reported in a separate report or just be included in my previous report. That's why I decided to report it in as a new submission.

Possible cause:

The developers thought replacing a // with a / was sufficient to mitigate this, however, this is not the case as it doesn't look for it recursively

Impact:

I'm no more only able to link resources on firstblood but also it load from external resources. This can cause reputable damage to doctors if their photo gets changed to something unapproperiate.

Steps to reproduce:

1) Login using the default credentials: admin:admin

2) Next, replicate the following request:

POST /drpanel/drapi/edit-dr.php HTTP/1.1
Host: {HOST}
Cookie: drps={SESS_COOKIE}
Content-Type: application/x-www-form-urlencoded
Content-Length: 85
drid=1&name=xyz&bio=&bookable=0&photoUrl=///{HOST}/{PATH_TO_IMG}.png

3) Once sent, we can visit /doctors.php or /manageappointment.php?success&aptid={ID} to double check this:

Mitigation:

I recommend removing the photoUrl parameter from the API endpoint.

If you have any additional questions regarding this submission. Please do not hesitate to ask.

Kind regards,

0xblackbird

P4 Low

Endpoint: /drpanel/drapi/edit-dr.php

Parameter: photoUrl

Payload: ///example.com/image.png


FirstBlood ID: 60
Vulnerability Type: Application/Business Logic

The parameter "photoUrl" on /drapi/edit-dr.php should only allow for relative URL paths but this can be bypassed.

Report Feedback

@zseano

Creator & Administrator


Congratulations, you were second to discover this!