FirstBlood-#580 — Unauthorized access to edit password API leading to Account Takeover
This issue was discovered on FirstBlood v2
On 2021-10-26, holybugx Level 5 reported:
/drpanel/drapi/editpassword.phpAPI endpoint allows an attacker to reset user's passwords and take over their accounts. Using this vulnerability I was able to take over the
drAdminaccount to gain administrative access.
/drpanel/index.htmlendpoint reveals the edit password functionality. Although the endpoint is not mentioned directly, I was able to find the valid API endpoint from the previous application knowledge.
Steps To Reproduce
- Make a POST request to the
/drpanel/drapi/editpassword.phpendpoint with the provided
usernameas the body:
- Use the given credentials to log in to the application through the
- It is indicated that the credentials were valid and we are logged in as the
- Account Takeover of various accounts (users/admins)
- Implementing proper authorization checks on the
This report contains multiple vulnerabilities:
FirstBlood ID: 28
Vulnerability Type: Auth issues
The endpoint /drapi/editpassword can actually be accessed unauthenticated.
FirstBlood ID: 27
Vulnerability Type: Application/Business Logic
It is possible to edit the admins password (dradmin) from /drapi/editpassword as it's only looking for the username. Usernames can be enumerated when logging in as trying 'drAdmin' results in a different error. The username can also be found from FirstBlood v1.