FirstBlood-#1701 — DoS on about.php, doctors.php and meet drs.php pages due on edit-dr.php
This issue was discovered on FirstBlood v3
On 2022-12-13, agentmellow Level 3 reported:
Getting started
Learn about vulnerability types 
Getting started in bug bounties 
Test your knowledge
Free Web Application Challenges
Guides for your hunts 
ZSeano's Methodology
Effective Note Taking for bug bounties
Useful Resources 
Disclosed HackerOne Reports 
Our community
Endorsed Members
Hackevents 
Member Articles
Lol this is a wierd one..
Due to me not being able to figure out the XSS on where these reflections are found (about.php, doctors.php, meet_drs.php). I was fuzzing and noticed (by blunder I might add) that '<!--' is being accepted as is which will make the page 'hang'.
Note that for a fine chain, CSRF on this form (or default creds) is sweet potatoes..
But.. We can also chain this with: https://www.bugbountyhunter.com/hackevents/report?id=1422
Which would DoS all login attempts via the /login.php to reset the rendered html. As well as the three other ones mentioned.
Steps to reproduce:
- On the POST /drpanel/drapi/edit-dr.php make sure to set: drid=3&name=<!-- as authenticated user.
- A 200 OK "Success! Your doctor has been modified." Should be returned.
- With your browser try to visit about.php, doctors.php and meet_drs.php
- Pages unable to load due to the reflection of the html closing tag not being filtered.
POC:
Im unsure if this is intended or not. Maybe its a separate bug ID vs the XSS that must exist on this parameter... If I find it another report shall follow! Cheers!
P5 Informative
Even though this issue has been accepted as valid, no FirstBlood ID has been set for this report.
Report Feedback
Creator & Administrator
This would be considered HTML injection without clear impact demonstrated and as such this report will be accepted as informative