FirstBlood-#380Easily guessed invited code on doctor register
This issue was discovered on FirstBlood v2.0.0 (issues patched)



On 2021-10-25, neolex Level 2 reported:

Description

It is possible to register a doctor because the invite code is easily guessable. The current invite code is test

Step to reproduce

Fix

You should make an invite code not easily guessable

Impact

Attackers can register as a doctor

P3 Medium

Endpoint: /register.php

Parameter: inviteCode

Payload: test


FirstBlood ID: 24
Vulnerability Type: Auth issues

The old invite code was deleted but when testing FirstBlood v2 the developers accidentally left the test code working.