FirstBlood-#386Any user can update another's user password via /drpanel/drapi/editpassword.php endpoint
This issue was discovered on FirstBlood v2

On 2021-10-25, panya Level 7 reported:

Steps to reproduce:

  1. Register a doctor (e.g. with a name admin and test as an invitation code).
  2. Don't login with the provided credentials.
  3. Update the user password via this request:
    curl -X POST '' --data-raw 'username=admin'

    it works for any user and returns the newly generated password of the provided username user.

    Password updated - s3mKUOhRTFvEo6Z

Actual result:

The password of the admin user will be updated to s3mKUOhRTFvEo6Z. An attacker could login with this password and take over the account.

Expected result:

The /drpanel/drapi/editpassword.php endpoint should properly validate user role and should be accessible only for admins.


I'm not sure if it is a different bug or not, but this endpoint also doesn't have any CSRF protection, it could be exploited via this basic PoC:

<body onload="document.forms[0].submit()">
  <form method="post" action="">
    <input type="hidden" name="username" value="admin">

By visiting a html page with this code, admin user's password will be updated to a newly generated value.


Endpoint: /drpanel/drapi/editpassword.php

Parameter: username

Payload: admin

FirstBlood ID: 27
Vulnerability Type: Application/Business Logic

It is possible to edit the admins password (dradmin) from /drapi/editpassword as it's only looking for the username. Usernames can be enumerated when logging in as trying 'drAdmin' results in a different error. The username can also be found from FirstBlood v1.

Report Feedback


Creator & Administrator

Hi panya, nice find! The intended issue was to be able to login as 'drAdmin' which could be found from user enumeration (different error message produced), or from FirstBlood v1. However you are correct you can update any users password, but the 'admin' account doesn't actually have any special powers. drAdmin is the root admin