FirstBlood-#1176 — Username enumeration through editpassword.php
This issue was discovered on FirstBlood v3
On 2022-12-08, 0xblackbird Level 5 reported:
After I checked the editpassword.php endpoint, it appeared to me that the response strongly differs once an invalid username is submitted.
This can help in identifying new users and use the same endpoint to reset their passwords.
Verbose messages were probably left on so that the developers could check whether a user exists or not, but apparently did not remove it when it was pushed to production.
I'm able to identify usernames thanks to the messages the server responds with.
Steps to reproduce:
1) Replicate the following request:
POST /drpanel/drapi/editpassword.php HTTP/1.1 Host: 2c724b2992e1-0xblackbird.a.firstbloodhackers.com Content-Type: application/x-www-form-urlencoded Content-Length: 14
2) Send the request using a non-existing username 3) You'll notice that whenever we submit a request to the endpoint. It tells us whether the username is valid or non-existing:
I recommend returning more generic messages to not allow malicious users to enumerate usernames.
Have a great day!
Kind regards, 0xblackbird
Even though this issue has been accepted as valid, no FirstBlood ID has been set for this report.
Creator & Administrator
Hi 0xblackbird, this is something we consider a P5/informative issue