FirstBlood-#1637Unauthenticated Modification of the Doctors Data via New Api Call
This issue was discovered on FirstBlood v3

On 2022-12-12, mr_xhunt Level 8 reported:


Leads to Stored XSS in Bio of doctor on /about.php endpoint [Added ]

Fuzzing /api endpoint leaked /api/managedoctors.php endpoint which Can be Accessed by any Unauthed User and Can Modify the data by Sending PUT request.

Steps to Reproduce:

  1. Intercept any request on firstblood and Send it to Repeter
  2. Now Change the endpoint to : /api/managedoctors.php
  3. Now Change the Request method to PUT as POST checks if the user is allowed or not
  4. Now Remove the Content-Type or just make it suitable for JSON payload
  5. Now Add the following Parameters and Send the request the Doctors Data will be changed

  1. Again Send the same request with the XSS Payload in the bio [note the drId must be 3 as the XSS is present on /about.php]

  1. Now Visit /about.php endpoint:

P2 High

Endpoint: /api/managedoctors.php

Parameter: bio

Payload: <svg/onload=alert(document.domain)>

FirstBlood ID: 75
Vulnerability Type: Access_control

An unauthenticated user can modify doctors via a PUT request on the /api/managedoctors.php endpoint

FirstBlood ID: 74
Vulnerability Type: Stored XSS

It is possible to achieve stored XSS via the doctors bio on about.php (doctor ID 3) and meet_drs.php (only doctor ID 1 and 2 are affected)