FirstBlood-#239 — Attacker can register a user name that has already been registered
This issue was discovered on FirstBlood v1.0.0
On 2021-05-14, xnl-h4ck3r reported:
You can register the same user more than once and get a new password, potentially taking over an existing account.
Steps to Reproduce
/register.phpand regsiter a user, e.g. xnl:
An attacker can then fo to the site and go to
/register.phpand use the same user name, and be assigned a new password. Register the name xnl with an invite code:
If a doctor has an existing account, and attacker can register an account with the same username and get a new password to log into that account.
FirstBlood ID: 17
Vulnerability Type: Auth issues
Unintended: An account with the same username can be created which leads to the original account being deleted and replaced with the attackers