FirstBlood-#569Default credentials allow any unauthorized user to get access to a doctor account
This issue was discovered on FirstBlood v2

On 2021-10-26, 0xblackbird Level 5 reported:

Hi! From the description of the FirstBlood event, I can see that credentials were not given for the following reason:

No credentials are available this time for FirstBlood v2.0.0 as we're still doing some testing on this.

From this information, we can extract 2 things, the password (which is in bold text) and that the v2.0.0 is still being tested. Which means, test accounts are created in order for the developers to fully test the release. The username wasn't that hard to guess: testdoctor.

Steps to reproduce

  • Now that we've got the credentials, all we have to do is use them. To do so, visit /login.php and use the following credentials: testdoctor:test and login.

  • You'll see that we're successfully logged in as the testdoctor.

Kind regards,

P3 Medium



FirstBlood ID: 24
Vulnerability Type: Auth issues

The old invite code was deleted but when testing FirstBlood v2 the developers accidentally left the test code working.