FirstBlood-#482 — Able to change password of any account (admin account access)
This issue was discovered on FirstBlood v2
On 2021-10-25, shivam18u Level 3 reported:
Hi Sean,
I found a bug which can be exploited to get Admin access ( ie. drAdmin).
By sending POST request to /drpanel/drapi/editpassword.php
with header Content-Type: application/x-www-form-urlencoded
and data username=drAdmin
You dont even need to have any account. You can send the request without cookies.
![](https://res.cloudinary.com/bugbountynotes/image/upload/v1635191237/qtiztuzoyaervd5ngjqm.png)
This way anyone can access the admin account even if the password is changed.
Thank you for this event.
Have a nice day!!
P1 CRITICAL
Endpoint: /drpanel/drapi/editpassword.php
This report contains multiple vulnerabilities:
FirstBlood ID: 27
Vulnerability Type: Application/Business Logic
It is possible to edit the admins password (dradmin) from /drapi/editpassword as it's only looking for the username. Usernames can be enumerated when logging in as trying 'drAdmin' results in a different error. The username can also be found from FirstBlood v1.
FirstBlood ID: 28
Vulnerability Type: Auth issues
The endpoint /drapi/editpassword can actually be accessed unauthenticated.