FirstBlood-#551 — Enumerate usernames
This issue was discovered on FirstBlood v2
On 2021-10-26, twsec Level 2 reported:
as mentioned before the editpassword.php function can be used by any non authenticated user to enumerate usernames and change their password at the same time thus taking over their account.
![](https://res.cloudinary.com/bugbountynotes/image/upload/v1635233731/pahto3kas7lyxzlgyyy6.jpg)
![](https://res.cloudinary.com/bugbountynotes/image/upload/v1635233745/xx7nbjnkzienofumds1q.jpg)
P4 Low
Endpoint: /drpanel/drapi/editpassword.php
This report contains multiple vulnerabilities:
FirstBlood ID: 27
Vulnerability Type: Application/Business Logic
It is possible to edit the admins password (dradmin) from /drapi/editpassword as it's only looking for the username. Usernames can be enumerated when logging in as trying 'drAdmin' results in a different error. The username can also be found from FirstBlood v1.
FirstBlood ID: 28
Vulnerability Type: Auth issues
The endpoint /drapi/editpassword can actually be accessed unauthenticated.
Creator & Administrator
Hi twsec, we don't have a unique bug for enumerating usernames from this endpoint so i'm going to assign ID 27 as the description mentions about user enumeration.