FirstBlood-#504Endpoint allows unauthorized users to update other user's passwords
This issue was discovered on FirstBlood v2.0.0 (issues patched)



On 2021-10-25, 0xblackbird Level 5 reported:

Hello! I found out that the following API endpoint (/drpanel/drapi/editpassword.php) allows anyone to update another user's password, including the admin password. This gave me access to the admin account.

Steps to reproduce:

  • We need to make a POST request to /drpanel/drapi/editpassword.php and supply the username as a POST parameter. To do so, we have several ways to achieve this. One is by JavaScript (this can be done via your console):let username="dradmin";var z=new XMLHttpRequest();z.open('POST','/drpanel/drapi/editpassword.php',true);z.setRequestHeader('Content-Type','application/x-www-form-urlencoded');z.send(`username=${username}`); and z.response // To view the response

  • Once you got the response, copy the password and go to /login.php and use the credentials, in this case it's dradmin:0OHhGKynTJtsaNR. And we're successfully logged in as another user with higher privileges.

Thanks for the fun challenge!

Regards,
0xblackbird

P1 CRITICAL

Endpoint: /drpanel/drapi/editpassword.php This bug makes use of the following vulnerabilities in a chain:

  • Auth issues
  • Auth issues


FirstBlood ID: 27
Vulnerability Type: Application/Business Logic

It is possible to edit the admins password (dradmin) from /drapi/editpassword as it's only looking for the username. Usernames can be enumerated when logging in as trying 'drAdmin' results in a different error. The username can also be found from FirstBlood v1.

FirstBlood ID: 28
Vulnerability Type: Auth issues

The endpoint /drapi/editpassword can actually be accessed unauthenticated.