FirstBlood-#1073Change doctor passwords via admin API that is accessible by any doctor
This issue was discovered on FirstBlood v3

On 2022-12-08, mr_xhunt Level 7 reported:


Since the firstblood2 had this bug where we could change the password of the doctor on the endpoint /drpanel/drapi/edipassword.php, so Simply tried it again and found it is still vulnerable and not fixed yet.

Steps to Reproduce:

  1. Make a POST request to /drpanel/drapi/editpassword.php with the POST parameter username=admin
  2. The server will respond with the new password of the user



Endpoint: /drpanel/drapi/editpassword.php

Parameter: username

Payload: admin

FirstBlood ID: 52
Vulnerability Type: Auth issues

The endpoint /drpanel/drapi/editpassword.php still allows an unauthenticated user to modify the password of any account if the username is known. The username was renamed from previous versions from drAdmin to admin