FirstBlood-#592Register a doctor
This issue was discovered on FirstBlood v2

On 2021-10-26, twsec Level 2 reported:

while to login we are faced with a login or register doctor, since we have no credentials we need to register

  1. it's always important to read the scope because there's a hidden message there

note the bold test

so where might we use it, tried username ,but there's still the invite code so we try invite code "test" and it works.

but since it should be unique which means it should be used once, we can use the same code to register another doctor at the same time.

now we have access to the drpanel we could view the source of the page and notice the commented out code for editpassword function

and we can escalate our privileges to become an Admin Doctor.

P3 Medium

Endpoint: /register.php

Parameter: unique invite code

Payload: test

FirstBlood ID: 24
Vulnerability Type: Auth issues

The old invite code was deleted but when testing FirstBlood v2 the developers accidentally left the test code working.