CVE-2023-6425
📋 TL;DR
This vulnerability allows attackers to inject malicious JavaScript into the BigProf Online Clinic Management System through the FirstRecord parameter in medical_records_view.php. The stored XSS payload executes when legitimate users view the compromised page, potentially stealing session cookies or performing unauthorized actions. All users of BigProf Online Clinic Management System version 2.2 are affected.
💻 Affected Systems
- BigProf Online Clinic Management System
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete account takeover, data theft, and unauthorized administrative actions through session hijacking or malicious JavaScript execution.
Likely Case
Session hijacking leading to unauthorized access to patient medical records and clinic management functions.
If Mitigated
Limited impact with proper input validation and output encoding preventing payload execution.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward with publicly available proof-of-concept code.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: Not available
Restart Required: No
Instructions:
No official patch available. Consider upgrading to a newer version if available or implementing workarounds.
🔧 Temporary Workarounds
Input Validation and Output Encoding
allImplement proper input validation and output encoding for the FirstRecord parameter in medical_records_view.php
Edit /clinic/medical_records_view.php to sanitize FirstRecord parameter using htmlspecialchars() or similar functions
Web Application Firewall (WAF) Rules
allDeploy WAF rules to block XSS payloads targeting the FirstRecord parameter
Configure WAF to block requests containing script tags or JavaScript in FirstRecord parameter
🧯 If You Can't Patch
- Implement Content Security Policy (CSP) headers to restrict script execution
- Restrict access to medical_records_view.php to authorized users only and monitor for suspicious activity
🔍 How to Verify
Check if Vulnerable:
Test by submitting a payload like <script>alert('XSS')</script> in the FirstRecord parameter and check if it executes when viewing the page.Check Version:
Check system version in administration panel or configuration filesVerify Fix Applied:
Verify that submitted payloads are properly encoded and do not execute when viewing the page.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /clinic/medical_records_view.php with script tags or JavaScript in parameters
- Multiple failed login attempts followed by successful access to medical records
Network Indicators:
- HTTP requests containing script tags or JavaScript payloads in FirstRecord parameter
SIEM Query:
source="web_server" AND (uri="/clinic/medical_records_view.php" AND (param="FirstRecord" AND value MATCHES "<script.*>.*</script>" OR value MATCHES "javascript:"))