FirstBlood-#629 — Admin account takeover by password reset
This issue was discovered on FirstBlood v2 (issues patched)
On 2021-10-26, buraaq Level 2 reported:
In page source of
/drpanel/index.php, there is commented out JS which is used for resetting user password. By the function name we can guess /know the endpoint easily.
Steps to reproduce
- Visit the vulnerable endpoint
/drpanel/drapi/editpassword.php, with burp on
- Send the request to the repeater.
- Change the request to
POST, and the body
(Username is guessable as it was used in hackevent v1, you can also verify it on register page -
drAdminas username and dummy invite-code and error says
Error : This is the administrator account and you are not allowed access.)
- After all is set as said above, send the request and you receive a response with a changed password.
Attack can take-over the admin account.
FirstBlood ID: 27
Vulnerability Type: Application/Business Logic
It is possible to edit the admins password (dradmin) from /drapi/editpassword as it's only looking for the username. Usernames can be enumerated when logging in as trying 'drAdmin' results in a different error. The username can also be found from FirstBlood v1.