FirstBlood-#722 Stored can be gained by giving payload in User-Agent Request header . It's fired on /vaccination-manager/portal.php.
This issue was discovered on FirstBlood v2.0.0 (issues patched)

On 2021-10-27, vishal Level 2 reported:

Description: Stored XSS can be gained by giving payload in User-Agent Request header . It's fired on /vaccination-manager/portal.php.

some part of this report might require knowledge shared in another report here. Now we are ready for this let's begin

How I Discovered This Bug : when i got login into admin panel at /vaccination-manager/portal.php . I noticed that admin can see email , time when it was submitted, ip address of submitter, and user-agent and vaccination certificate uploaded by them. Out of which user-agent is first thing we can manipulate easily to get stored xss . I Tried uploading a vaccination certificate with stored xss payload and It get fired on at /vaccination-manager/portal.php.

Step's to Reproduce:

  1. Go to /vaccination-manager/pub/upload-vaccination-proof.php
  2. fill valid email address and submit valid image file less then 2mb size.
  3. Turn proxy on & click on upload button. Burp will capture request like i have shown below add <script>alert(document.cookie)</script> just after User-Agent like i did and forward the request.
  4. Now visit /vaccination-manger/login.php login(user=admin &password=' or ''='). Stored xss will be fired at admin panel at /vaccination-manager/portal.php

Lastly if anything missing or required just let me Know - Vishal

P2 High

Endpoint: /vaccination-manager/pub/submit-vaccination-proof.php

Parameter: User-Agent

Payload: <script>alert(document.cookie)</script>

FirstBlood ID: 29
Vulnerability Type: Stored XSS

When uploading a vaccine proof it is possible to achieve stored XSS against admins set via the user agent. As this value typically can't be user controlled the developers did not think it was 'worth' preventing against XSS.