FirstBlood-#328Valid doctor credentials could be obtained without an invitation code
This issue was discovered on FirstBlood v2.0.0 (issues patched)



On 2021-10-25, panya Level 5 reported:

Steps to reproduce:

  1. Visit doctor registration page.
  2. Fill the form with admin as username and test as the invite code.
  3. Press on "Secure Register" button.

Actual result:

Registration will be successful. The message with valid creds will be shown:

Success! Your account has been created with the following credentials:

Username: admin
Password: PyI0OYm016

Please save this in a secure place.

Expected result:

The testing creds (test as the invite code) should not be working on production. The form should properly validate the filled invite code.

Impact:

An attacker could get credentials to login as a doctor.

P3 Medium

Endpoint: /register.php

Parameter: inviteCode

Payload: test


FirstBlood ID: 24
Vulnerability Type: Auth issues

The old invite code was deleted but when testing FirstBlood v2 the developers accidentally left the test code working.