FirstBlood-#578 — Application Logic flaw leads to anyone registering a doctor account without invite code
This issue was discovered on FirstBlood v2
On 2021-10-26, th33phoenix Level 4 reported:
Hey there!!!!!
I have found a app logic error, resulting in an attacker registering a doctor account without an invitation code
Description:
Doctor accounts are pre-made and the invite codes sent to them. But using a bypass, any attacker can register for a doctor account
Impact:
An attacker can create a doctor account of his choice, which gives him access to more functionalities like seeing patient info, searching for patients, etc
Steps to reproduce:
- Visit /register.php and try to register for an account using the previous invitation code that was leaked on reddit. See that we get an error:
- Use "test" as invite code and see that we are able to register:
- Now login into the account using the provided password:
P3 Medium
Endpoint: /register.php
Parameter: none
Payload: none
FirstBlood ID: 24
Vulnerability Type: Auth issues
The old invite code was deleted but when testing FirstBlood v2 the developers accidentally left the test code working.