FirstBlood-#187Information Disclosure allowing an attacker to register as a doctor
This issue was discovered on FirstBlood v1

On 2021-05-11, c3phas Level 4 reported:


Hi, I found (After so many days of scratching my head) an information disclosure on reddit which leaks an invite code allowing one to register as a doctor.

On register.php a doctor must have an invite-code inorder to be registered.

Doing some dorking I came across a post on reddit which leaked a code

Using the above code I was able to register an account as a doctor


Anyone can get an account as a doctor

P2 High

Endpoint: /register.php

Parameter: invite-code

Payload: NA

FirstBlood ID: 15
Vulnerability Type: Auth issues

A doctors invite code is leaked on the internet which if used grants anyone access to the doctor portal. The invite code should expire after use.