FirstBlood-#578Application Logic flaw leads to anyone registering a doctor account without invite code
This issue was discovered on FirstBlood v2.0.0 (issues patched)



On 2021-10-26, th33phoenix Level 3 reported:

Hey there!!!!!

I have found a app logic error, resulting in an attacker registering a doctor account without an invitation code

Description:

Doctor accounts are pre-made and the invite codes sent to them. But using a bypass, any attacker can register for a doctor account

Impact:

An attacker can create a doctor account of his choice, which gives him access to more functionalities like seeing patient info, searching for patients, etc

Steps to reproduce:

  1. Visit /register.php and try to register for an account using the previous invitation code that was leaked on reddit. See that we get an error:

  1. Use "test" as invite code and see that we are able to register:

  1. Now login into the account using the provided password:

P3 Medium

Endpoint: /register.php

Parameter: none

Payload: none


FirstBlood ID: 24
Vulnerability Type: Auth issues

The old invite code was deleted but when testing FirstBlood v2 the developers accidentally left the test code working.