FirstBlood-#635DrAdmin ATO by using doctor account.
This issue was discovered on FirstBlood v2.0.0 (issues patched)



On 2021-10-26, vishal Level 2 reported:

Discription : drAdmin ATO by using doctor account.

Steps to Reproduce:
  1. visit /register.php

2.give any user name and in invite code enter test as below.

  1. use the credential's you got to login at /login.php. you will get access to dr panel.

  2. VIew-source code of page you will notice . there is a function to editpassword named editpassword and it uses POST method, header it set etc.

  3. After Playing for while in repeater . I got the response for which i was waiting .

Now all you need to do is do to /login.php and enter updated password you just got for drAdmin username & you will be login as drAdmin which a admin account.

Impact: doctor can takeover admin doctor account .

Lastly if anything is missing just ping me, regard's Vishal.

P1 CRITICAL

Endpoint: /drpanel/drapi/editpassword.php This bug makes use of the following vulnerabilities in a chain:

  • Auth issues
  • Auth issues


FirstBlood ID: 24
Vulnerability Type: Auth issues

The old invite code was deleted but when testing FirstBlood v2 the developers accidentally left the test code working.

FirstBlood ID: 27
Vulnerability Type: Application/Business Logic

It is possible to edit the admins password (dradmin) from /drapi/editpassword as it's only looking for the username. Usernames can be enumerated when logging in as trying 'drAdmin' results in a different error. The username can also be found from FirstBlood v1.