FirstBlood-#629Admin account takeover by password reset
This issue was discovered on FirstBlood v2 (issues patched)



On 2021-10-26, buraaq Level 2 reported:

Hello zseano,

Summary

In page source of /drpanel/index.php, there is commented out JS which is used for resetting user password. By the function name we can guess /know the endpoint easily.

Endpoint : /drpanel/drapi/editpassword.php

Steps to reproduce
  1. Visit the vulnerable endpoint /drpanel/drapi/editpassword.php, with burp on
  2. Send the request to the repeater.
  3. Change the request to POST, and the body username=drAdmin

(Username is guessable as it was used in hackevent v1, you can also verify it on register page - drAdmin as username and dummy invite-code and error says Error : This is the administrator account and you are not allowed access. )

  1. After all is set as said above, send the request and you receive a response with a changed password.
POC

Impact

Attack can take-over the admin account.

Kind regards,

buraaqsec

P1 CRITICAL

Endpoint: /drpanel/drapi/editpassword.php

Parameter: username

Payload: drAdmin


FirstBlood ID: 27
Vulnerability Type: Application/Business Logic

It is possible to edit the admins password (dradmin) from /drapi/editpassword as it's only looking for the username. Usernames can be enumerated when logging in as trying 'drAdmin' results in a different error. The username can also be found from FirstBlood v1.