FirstBlood-#1001Admin Account takeover
This issue was discovered on FirstBlood v3

On 2022-12-08, didsec Level 5 reported:

Hi there

I found it is possible change the password of the admin account by sending a POST request to /drpanel/drapi/editpassword.php as it's only looking for the username this works even if unauthenticated

To reproduce :

  1. Visit and intercept the request
  2. Change the request to a POST request
  3. Add the body parameters username=admin and forward the request
  4. We are given a new password
  5. Go to to the login page and login we now have access the Admin account


FirstBlood ID: 52
Vulnerability Type: Auth issues

The endpoint /drpanel/drapi/editpassword.php still allows an unauthenticated user to modify the password of any account if the username is known. The username was renamed from previous versions from drAdmin to admin

Report Feedback


Creator & Administrator

Congratulations you were the second user to discover this bug :-)