BugBountyHunter

Summary

An XSS vulnerability exists on /login.php that allows an attacker to craft a URL which if clicked will take the user to the login page. The ref parameter can be used to display a Return to previous page link. The href attribute of the link is vulnerable to XSS and can also be used as an Open Redirect, e.g. ref=/\/attacker.com. An XSS payload can be used so if the user clicks the Return to previous page link, any cookies that may be present can be leaked to the attacker.

Steps to Reproduce

1. Click the link http://firstbloodhackers.com:{PORT}/login.php?ref=j%09avascript:onerror=confirm;throw%20document.cookie
2. Observe the payload fires and if there are anuy cookies present, they will be leaked:

NOTE: This cookie can be sent to attackers server

3. Clear all cookies and go to the web app again but do not log in.
4. Add the cookie shows in Step 3 and go to /drpanel/index.php and observe that you are now logged in as admin and view patient data.

Impact

If an attacker can phish a user to click the link containing the payload, they can direct them to the Login page where the Return to previous page link is present. The attack requires the victim to click the link on the site whcih can then redirect the user to the attackers website (where they could phish for login details again), or could send any cookies the user has to the attacker (which can be used to access the admin panel and reveal PII information).