FirstBlood-#1053 — Editpassword.php allows anyone to edit any user's passwords
This issue was discovered on FirstBlood v3
On 2022-12-08, 0xblackbird Level 5 reported:
Getting started
Learn about vulnerability types 
Getting started in bug bounties 
Test your knowledge
Free Web Application Challenges
Guides for your hunts 
ZSeano's Methodology
Effective Note Taking for bug bounties
Useful Resources 
Disclosed HackerOne Reports 
Our community
Endorsed Members
Hackevents 
Member Articles
Summary:
Hi mate!
I hope you're doing well today!
I found out that the endpoint from firstblood v2 was still not patched. The endpoint /drpanel/drapi/editpassword.php is still available and is still able to change passwords of any user!
Possible cause:
There aren't any checks in place that cross-check whether I'm authorized to reset someone else's password or not
Impact:
I was able to takeover anyone's account as no privileges were required. As long as I had their username (but that isn't an issue).
Steps to reproduce:
Proof of concept endpoint: /drpanel/drapi/editpassword
1) Spin up firstblood v3 if you haven't already
2) Send the following POST request:
POST /drpanel/drapi/editpassword.php HTTP/1.1
Host: {HOST}
Content-Type: application/x-www-form-urlencoded
Content-Length: 14
username=admin
3) The response should contain a newly generated password
Mitigation
I highly recommend adding authorization checks in place to fully mitigate this issue and to ensure that no one gets to reset another user's password again.
Thanks for hosting such an awesome event again!
Kind regards,
0xblackbird
P1 CRITICAL
Endpoint: /drpanel/drapi/editpassword.php
Parameter: username
Payload: {username}
FirstBlood ID: 52
Vulnerability Type: Auth issues
The endpoint /drpanel/drapi/editpassword.php still allows an unauthenticated user to modify the password of any account if the username is known. The username was renamed from previous versions from drAdmin to admin