FirstBlood-#1176Username enumeration through editpassword.php
This issue was discovered on FirstBlood v3

On 2022-12-08, 0xblackbird Level 5 reported:



After I checked the editpassword.php endpoint, it appeared to me that the response strongly differs once an invalid username is submitted.

This can help in identifying new users and use the same endpoint to reset their passwords.

Possible cause:

Verbose messages were probably left on so that the developers could check whether a user exists or not, but apparently did not remove it when it was pushed to production.


I'm able to identify usernames thanks to the messages the server responds with.

Steps to reproduce:

1) Replicate the following request:

POST /drpanel/drapi/editpassword.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 14

2) Send the request using a non-existing username 3) You'll notice that whenever we submit a request to the endpoint. It tells us whether the username is valid or non-existing:


I recommend returning more generic messages to not allow malicious users to enumerate usernames.

Have a great day!

Kind regards, 0xblackbird

P5 Informative

Endpoint: /drpanel/drapi/editpassword.php

Parameter: username

Payload: {username}

Even though this issue has been accepted as valid, no FirstBlood ID has been set for this report.

Report Feedback


Creator & Administrator

Hi 0xblackbird, this is something we consider a P5/informative issue