FirstBlood-#558 — Admin password can be changed and retained by anyone
This issue was discovered on FirstBlood v2.0.0 (issues patched)
On 2021-10-26, d20s84 Level 3 reported:
Anyone accessing the site can generate the password for dramin i.e. the admin user without any authorization
- Register as a non admin doctor. For more reference read : https://www.bugbountyhunter.com/hackevents/report?id=540
- In the source code of /drpanel/drapi/index.php i found this code.
- I used ffuf to fuzz but nothing. Then a guess led me to /drpanel/drapi/editpassword.php this endpoint. With refrence to the source code i crafted the request and Boom!! This is not it!!
- I wondered this was from the user using non admin doctor creds. Is it possible without the cookie? So, i removed the cookie, and Boom!! Anyone who knows the endpoint can easily get the "dradmin" 's password.
It has a huge impact!!! It can lead to full admin control of the site!!
/drpanel/drapi/editpassword.php This bug makes use of the following vulnerabilities in a chain:
FirstBlood ID: 27
Vulnerability Type: Application/Business Logic
It is possible to edit the admins password (dradmin) from /drapi/editpassword as it's only looking for the username. Usernames can be enumerated when logging in as trying 'drAdmin' results in a different error. The username can also be found from FirstBlood v1.
FirstBlood ID: 28
Vulnerability Type: Auth issues
The endpoint /drapi/editpassword can actually be accessed unauthenticated.