FirstBlood-#653Account takeover by overwriting user's password
This issue was discovered on FirstBlood v2.0.0 (issues patched)



On 2021-10-27, neolex Level 2 reported:

Description

The register.php endpoint is insecure. An attacker can overwrite any user's password via register function. If you use a existing username when registering you will have the error This invite code is not valid. But if you intercept the query and append %00 you will have another password set to the victim user.

Step to reproduce

Impact

The impact is account takeover of any admin or doctor's account

P3 Medium

Endpoint: /register.php

Parameter: username

Payload: neolex%00


FirstBlood ID: 24
Vulnerability Type: Auth issues

The old invite code was deleted but when testing FirstBlood v2 the developers accidentally left the test code working.