FirstBlood-#807 — Stored XSS on /drpanel/index.php by cancelling an appointment
This issue was discovered on FirstBlood v2.0.0 (issues patched)
On 2021-10-28, 0xblackbird reported:
Hello! I can see that the previously reported stored xss is still not fixed. An unauthorized user can escalate his privileges by taking over a doctor account and get access to sensitive data of all registered patients.
Steps to reproduce:
- First of all, we need to make an appointment in order to cancel one. To do so, navigate to
/book-appointment.php, fill in the required fields and click on Book Appointment.
- Next, copy the UUID and head over to
/yourappointments.php. Paste in the UUID in the Appointment ID field and click on Retrieve Appointment.
- Now click on Cancel and make sure you intercept this request using a proxy interceptor. After that, you'll have to manually append the following POST parameter to the request + the payload:
&message="><x/contenteditable/autofocus/onfocusin="confirm%601%60">. Forward the request.
- We can't see the reflection now because we have to login as a doctor. Luckily, we have a test account that we can also make good use of. Navigate to
/login.php?goto=/drpanel/cancelled.phpand use the following credentials:
test. You'll get redirected to the page where all the cancelled appointments appear. You'll normally now see a confirm box popup.
A real attacker doesn't want to display a confirm box and leave. As I described above, he will go for the most impact. In this case, he can steal the doctor's session (by stealing his/her cookies). To do so, we can easily craft a new payload that will redirect the doctor (with his cookies) to a domain controlled by the attacker:
Repeat the previous steps, now only change the previous payload with the one above. You don't have to create and cancel a new appointment, you can just modify the message in the previously cancelled appointment by just re-sending the request.
- Login as the doctor again and navigate to
/drpanel/cancelled.php, you'll get redirected to example.com with the session cookie as the value of the cookie parameter.
FirstBlood ID: 22
Vulnerability Type: Stored XSS