FirstBlood-#456[COLLAB with isitbug] Stored XSS via cancelled appointment's message that executes on doctors
This issue was discovered on FirstBlood v2.0.0 (issues patched)



On 2021-10-25, shreky Level 5 reported:

Summary

Same bug as last time again,via a cancelled appointment's message it's possible to exploit a Stored XSS that fires on /drpanel/cancelled.php when accessed by admins/doctors.

Steps to reproduce

  1. Make an appointment
  2. Cancel it and intercept the request,and add &message="><svg/onload=confirm`1`> in the POST param and Send It should look like this:
    act=cancel&id=2f3ddc87-1eea-4b64-8862-8d21e1df07c3&message="><svg/onload=confirm`1`>
  3. Now,as a doctor,go to Cancelled appointments from the dashboard
  4. XSS will execute

Impact

Stored XSS that affects any doctor/admin that accesses /drpanel/cancelled.php.

PoC -->

P2 High

Endpoint: /drpanel/cancelled.php

Parameter: message

Payload: "><svg/onload=confirm`1`>


FirstBlood ID: 22
Vulnerability Type: Stored XSS

Whilst an attempt was made to fix the stored XSS vulnerability in managing an appointment, it actually introduced new issues such as when creating and editing and not just when cancelling the appointment. Making use of htmlentities() and relying on .value() in javascript to encode certain characters does not prevent XSS overall. The 'fix' to this issue also results in it being vulnerable to admins on cancelled appointments as well.