FirstBlood-#689Bypass the invitation code and register your self as a doctor
This issue was discovered on FirstBlood v2.0.0 (issues patched)



On 2021-10-27, 0xsaltyhash Level 2 reported:

Summary:

In v1 of firstblood we were able to register as doctors by using a leaked invite code, but this has been fixed and the leaked code is no longer valid.

so in order for attacker to register and gain access to the drpanel, he/she needs to obtain a valid invite code.

the scope of firstblood v2 had something out of place, the word testing, so i tried to use test as invite code, and it worked!

Steps to reproduce:

  1. Go to /register.php page.
  2. Enter your desired username.
  3. In invite code field enter test and submit the request.

  1. Observe that the registration is successful and the account is created.

P3 Medium

Endpoint: /register.php

Parameter: inviteCode

Payload: inviteCode=test


FirstBlood ID: 24
Vulnerability Type: Auth issues

The old invite code was deleted but when testing FirstBlood v2 the developers accidentally left the test code working.