FirstBlood-#653 — Account takeover by overwriting user's password
This issue was discovered on FirstBlood v2.0.0 (issues patched)
On 2021-10-27, neolex Level 2 reported:
The register.php endpoint is insecure. An attacker can overwrite any user's password via register function. If you use a existing username when registering you will have the error
This invite code is not valid.But if you intercept the query and append
%00you will have another password set to the victim user.
Step to reproduce
- Go to https://6899078990e9-neolex.a.firstbloodhackers.com/register.php
- Intercept the request of the form with the user's username you want to takeover and the
- append %00 to the username
- The victim's password will be changed and displayed
The impact is account takeover of any admin or doctor's account
FirstBlood ID: 24
Vulnerability Type: Auth issues
The old invite code was deleted but when testing FirstBlood v2 the developers accidentally left the test code working.