FirstBlood-#580Unauthorized access to edit password API leading to Account Takeover
This issue was discovered on FirstBlood v2.0.0 (issues patched)



On 2021-10-26, holybugx Level 5 reported:

Description

Hello Sean,

The exposed /drpanel/drapi/editpassword.php API endpoint allows an attacker to reset user's passwords and take over their accounts. Using this vulnerability I was able to take over the drAdmin account to gain administrative access.

The commented JavaScript function on the /drpanel/index.html endpoint reveals the edit password functionality. Although the endpoint is not mentioned directly, I was able to find the valid API endpoint from the previous application knowledge.

Steps To Reproduce

  1. Make a POST request to the /drpanel/drapi/editpassword.php endpoint with the provided username as the body:

  1. Use the given credentials to log in to the application through the /login.php endpoint:

  • It is indicated that the credentials were valid and we are logged in as the drAdmin administrator.

Impact

  • Account Takeover of various accounts (users/admins)

Remediation

  • Implementing proper authorization checks on the /drpanel/drapi/editpassword.php API endpoint.

Kind Regards,

HolyBugx

P1 CRITICAL

This bug makes use of the following vulnerabilities in a chain:

  • Auth issues
  • Auth issues


FirstBlood ID: 28
Vulnerability Type: Auth issues

The endpoint /drapi/editpassword can actually be accessed unauthenticated.

FirstBlood ID: 27
Vulnerability Type: Application/Business Logic

It is possible to edit the admins password (dradmin) from /drapi/editpassword as it's only looking for the username. Usernames can be enumerated when logging in as trying 'drAdmin' results in a different error. The username can also be found from FirstBlood v1.