FirstBlood-#673 — [Unpatched] Stored XSS still working on admin's cancelled report panel
This issue was discovered on FirstBlood v2
On 2021-10-27, d20s84 Level 3 reported:
Hi again an again sean :p . Hope you and your family are all well !! I found a stored XSS. More about it down below :)
Summary:
This is an unpatched vulnerability. Bascially I was able to inject javaScript that would lead to Stored Cross Site Scripting
Impact:
Very Devastating!! If this attack is more escalated than what is in here it could lead to account takeover.
How?
- I Booked an appointment on /book-appointment.php.
- Then i went to manage my appointment on yourappointments.php. Used my previously generated id.
- Then i clicked on Cancel Button and intercepted the Request in Burp. I added an extra message={payload} parameter in the request.
- On viewing the request from the admin panel the javascript payload triggered .
P2 High
Endpoint: source=/api/ma.php,sink=/drpanel/cancelled.php#
Parameter: message=
Payload: "><script>alert("unpatched")</script>
FirstBlood ID: 22
Vulnerability Type: Stored XSS
Whilst an attempt was made to fix the stored XSS vulnerability in managing an appointment, it actually introduced new issues such as when creating and editing and not just when cancelling the appointment. Making use of htmlentities() and relying on .value() in javascript to encode certain characters does not prevent XSS overall. The 'fix' to this issue also results in it being vulnerable to admins on cancelled appointments as well.