FirstBlood-#328 — Valid doctor credentials could be obtained without an invitation code
This issue was discovered on FirstBlood v2.0.0 (issues patched)
On 2021-10-25, panya reported:
Steps to reproduce:
- Visit doctor registration page.
- Fill the form with
adminas username and
testas the invite code.
- Press on "Secure Register" button.
Registration will be successful. The message with valid creds will be shown:
Success! Your account has been created with the following credentials: Username: admin Password: PyI0OYm016 Please save this in a secure place.
The testing creds (
testas the invite code) should not be working on production. The form should properly validate the filled invite code.
An attacker could get credentials to login as a doctor.
FirstBlood ID: 24
Vulnerability Type: Auth issues
The old invite code was deleted but when testing FirstBlood v2 the developers accidentally left the test code working.