FirstBlood-#689 — Bypass the invitation code and register your self as a doctor
This issue was discovered on FirstBlood v2
On 2021-10-27, 0xsaltyhash Level 3 reported:
Summary:
In v1 of firstblood we were able to register as doctors by using a leaked invite code, but this has been fixed and the leaked code is no longer valid.
so in order for attacker to register and gain access to the drpanel, he/she needs to obtain a valid invite code.
the scope of firstblood v2 had something out of place, the word testing, so i tried to use test as invite code, and it worked!
Steps to reproduce:
- Go to /register.php page.
- Enter your desired username.
- In invite code field enter
test
and submit the request.

- Observe that the registration is successful and the account is created.

P3 Medium
Endpoint: /register.php
Parameter: inviteCode
Payload: inviteCode=test
FirstBlood ID: 24
Vulnerability Type: Auth issues
The old invite code was deleted but when testing FirstBlood v2 the developers accidentally left the test code working.