FirstBlood-#1701DoS on about.php, doctors.php and meet drs.php pages due on edit-dr.php
This issue was discovered on FirstBlood v3

On 2022-12-13, agentmellow Level 3 reported:

Lol this is a wierd one.. Due to me not being able to figure out the XSS on where these reflections are found (about.php, doctors.php, meet_drs.php). I was fuzzing and noticed (by blunder I might add) that '<!--' is being accepted as is which will make the page 'hang'.

Note that for a fine chain, CSRF on this form (or default creds) is sweet potatoes.. But.. We can also chain this with: Which would DoS all login attempts via the /login.php to reset the rendered html. As well as the three other ones mentioned.

Steps to reproduce:

  1. On the POST /drpanel/drapi/edit-dr.php make sure to set: drid=3&name=<!-- as authenticated user.
  2. A 200 OK "Success! Your doctor has been modified." Should be returned.
  3. With your browser try to visit about.php, doctors.php and meet_drs.php
  4. Pages unable to load due to the reflection of the html closing tag not being filtered.


Im unsure if this is intended or not. Maybe its a separate bug ID vs the XSS that must exist on this parameter... If I find it another report shall follow! Cheers!

P5 Informative

Even though this issue has been accepted as valid, no FirstBlood ID has been set for this report.

Report Feedback


Creator & Administrator

This would be considered HTML injection without clear impact demonstrated and as such this report will be accepted as informative