FirstBlood-#463Cancelled Appintments is still vulnerable to Stored XSS
This issue was discovered on FirstBlood v2.0.0 (issues patched)



On 2021-10-25, kinako Level 5 reported:

Dear FirstBlood security team, I found a vulnerability on your service. I hope this report will help you.

Summary

There used to be reported Stored XSS on /drpanel/cancelled.php endpoint in FirstBlood v1, and I confirm that vulnerability still exists in FirstBlood v2.

Vulnerability Description(PoC)

First of all, we can cancel our own appointment in /manageappointment.php endpoint.

When cancelling, we can add message parameter to leave a message to doctors like this:

And this message param will be reflected like this in admin panel:

Thanks to firstblood v1 report, I know this functionality is vulnerable to Stored XSS and I tested again.

I used this payload:

message="><img/src="x"/onmouseenter=alert`document.cookie`//

Unfortunately, this Stored XSS bug is still alive.

Impact

  • firstblood v2 has no HttpOnly flag in session cookie, so the attackers can steal admin account's session cookie and perform ATO(Account TakeOver)
  • Phishing

Regards, kinako

P2 High

Endpoint: /drpanel/cancelled.php

Parameter: message

Payload: message="><img/src="x"/onmouseenter=alert`document.cokie`//


FirstBlood ID: 22
Vulnerability Type: Stored XSS

Whilst an attempt was made to fix the stored XSS vulnerability in managing an appointment, it actually introduced new issues such as when creating and editing and not just when cancelling the appointment. Making use of htmlentities() and relying on .value() in javascript to encode certain characters does not prevent XSS overall. The 'fix' to this issue also results in it being vulnerable to admins on cancelled appointments as well.