FirstBlood-#481Able to register account using invite code "test"
This issue was discovered on FirstBlood v2.0.0 (issues patched)



On 2021-10-25, shivam18u Level 3 reported:

Hi Sean,

I found that we can register a new account with invite code as test

To reproduce the bug, go to /register.php, enter your username and invite code = test.

You will be registered and will get password for the account.

This way anyone can create an account and get info about the patients.

Have a nice day!

P3 Medium

Endpoint: /register.php

Parameter: inviteCode

Payload: test


FirstBlood ID: 24
Vulnerability Type: Auth issues

The old invite code was deleted but when testing FirstBlood v2 the developers accidentally left the test code working.