FirstBlood-#536Anyone can register as doctor by giving invite code "test"
This issue was discovered on FirstBlood v2.0.0 (issues patched)



On 2021-10-26, vishal Level 2 reported:

Discription : Anyone can register as doctor by giving invite code "test"

Steps to Reproduce the issue :

  1. Visit /register.php.
  2. Now enter any username you want to register as and invite code enter test as below
  3. Click on Secure Register you should be successfully registered as a doctor below.

Impact: Anyone can register as a Doctor.

Let me know, if anything missing or further information is required.

Thanks and Regards - Vishal

P3 Medium

Endpoint: /register.php

Parameter: inviteCode

Payload: test


FirstBlood ID: 24
Vulnerability Type: Auth issues

The old invite code was deleted but when testing FirstBlood v2 the developers accidentally left the test code working.