FirstBlood-#569 — Default credentials allow any unauthorized user to get access to a doctor account
This issue was discovered on FirstBlood v2.0.0 (issues patched)
On 2021-10-26, 0xblackbird reported:
Hi! From the description of the FirstBlood event, I can see that credentials were not given for the following reason:
No credentials are available this time for FirstBlood v2.0.0 as we're still doing some testing on this.
From this information, we can extract 2 things, the password (which is in bold text) and that the v2.0.0 is still being tested. Which means, test accounts are created in order for the developers to fully test the release. The username wasn't that hard to guess:
Steps to reproduce
- Now that we've got the credentials, all we have to do is use them. To do so, visit
/login.phpand use the following credentials:
- You'll see that we're successfully logged in as the testdoctor.
FirstBlood ID: 24
Vulnerability Type: Auth issues
The old invite code was deleted but when testing FirstBlood v2 the developers accidentally left the test code working.