FirstBlood-#558Admin password can be changed and retained by anyone
This issue was discovered on FirstBlood v2.0.0 (issues patched)



On 2021-10-26, d20s84 Level 3 reported:

Summary:

Anyone accessing the site can generate the password for dramin i.e. the admin user without any authorization

How?

  1. Register as a non admin doctor. For more reference read : https://www.bugbountyhunter.com/hackevents/report?id=540
  2. In the source code of /drpanel/drapi/index.php i found this code.
  3. I used ffuf to fuzz but nothing. Then a guess led me to /drpanel/drapi/editpassword.php this endpoint. With refrence to the source code i crafted the request and Boom!! This is not it!!
  4. I wondered this was from the user using non admin doctor creds. Is it possible without the cookie? So, i removed the cookie, and Boom!! Anyone who knows the endpoint can easily get the "dradmin" 's password.

Impact:

It has a huge impact!!! It can lead to full admin control of the site!!

P1 CRITICAL

Endpoint: /drpanel/drapi/editpassword.php This bug makes use of the following vulnerabilities in a chain:

  • Auth issues
  • Auth issues


FirstBlood ID: 27
Vulnerability Type: Application/Business Logic

It is possible to edit the admins password (dradmin) from /drapi/editpassword as it's only looking for the username. Usernames can be enumerated when logging in as trying 'drAdmin' results in a different error. The username can also be found from FirstBlood v1.

FirstBlood ID: 28
Vulnerability Type: Auth issues

The endpoint /drapi/editpassword can actually be accessed unauthenticated.