FirstBlood-#638Stored xss in message left at the time of cancelation of appointment.
This issue was discovered on FirstBlood v2

On 2021-10-26, vishal Level 2 reported:

Discription:stored xss in message left at the time of cancelation of appointment.

Steps to Reproduce:

  1. visit /book-appointment.php & create an apointment.

  2. copy appointment id you will recieve.

  3. visit /yourappointments.php and using your appointment id retrieve appointment.

  4. now click on cancel appointment and capture request in proxy & send it to repeater tab.

  5. Now you will need to make some changes into request as by default user is not supposed to leave a msg but it's come to notice from seeing left msg on cancelled appointment in drAdmin panel it could be possible. so add message="%20onpointereNTER="eval.call${'confirm\x28document.cookie\x29'}"%20new="1 in request as below .

  6. last step is to visit /drpanel/cancelled.php (as a doctor) and move curser/pointer over username you have just cancelled.

All done you should probably get stored xss popup & thanks to report's of firstbloodv1 I got it too.

In any case if something is missing Just let me know - Vishal

P2 High

Endpoint: /api/ma.php

Parameter: message

Payload: %20onpointereNTER="eval.call`${'confirm\x28document.cookie\x29'}`"%20new="1

FirstBlood ID: 22
Vulnerability Type: Stored XSS

Whilst an attempt was made to fix the stored XSS vulnerability in managing an appointment, it actually introduced new issues such as when creating and editing and not just when cancelling the appointment. Making use of htmlentities() and relying on .value() in javascript to encode certain characters does not prevent XSS overall. The 'fix' to this issue also results in it being vulnerable to admins on cancelled appointments as well.