FirstBlood-#558 — Admin password can be changed and retained by anyone
This issue was discovered on FirstBlood v2
On 2021-10-26, d20s84 Level 3 reported:
Summary:
Anyone accessing the site can generate the password for dramin i.e. the admin user without any authorization
How?
- Register as a non admin doctor. For more reference read : https://www.bugbountyhunter.com/hackevents/report?id=540
- In the source code of /drpanel/drapi/index.php i found this code.
- I used ffuf to fuzz but nothing. Then a guess led me to /drpanel/drapi/editpassword.php this endpoint.
With refrence to the source code i crafted the request and Boom!!
This is not it!!
- I wondered this was from the user using non admin doctor creds. Is it possible without the cookie? So, i removed the cookie, and
Boom!! Anyone who knows the endpoint can easily get the "dradmin" 's password.
Impact:
It has a huge impact!!! It can lead to full admin control of the site!!
P1 CRITICAL
Endpoint: /drpanel/drapi/editpassword.php
This report contains multiple vulnerabilities:
FirstBlood ID: 27
Vulnerability Type: Application/Business Logic
It is possible to edit the admins password (dradmin) from /drapi/editpassword as it's only looking for the username. Usernames can be enumerated when logging in as trying 'drAdmin' results in a different error. The username can also be found from FirstBlood v1.
FirstBlood ID: 28
Vulnerability Type: Auth issues
The endpoint /drapi/editpassword can actually be accessed unauthenticated.