FirstBlood-#706 — Full Account takeover (even for admins)
This issue was discovered on FirstBlood v2 (issues patched)
On 2021-10-27, 0xsaltyhash Level 2 reported:
There is a commented out snippet of js code on
/drpanel/index.phpthis code is for changing password of a user, the js code is incomplete but one can fill in the blanks easily.
so i guessed that there is an endpoint
/drpanel/drapi/editpassword.phpthat accepts a post request and username body parameter, so i tried it and used it on my logged in user and it succeeded so why stop there, i know from v1 that the admin account username is drAdmin so i tried it and indeed i was able to change password of drAdmin and log in successfully.
POST /drpanel/drapi/editpassword.php HTTP/1.1 Host: <your_instance>.a.firstbloodhackers.com Cookie: doctorAuthed=eyJkb2N0b3JBdXRoIjphdXRoZWR9; User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 16 username=drAdmin
me logged in and able to view appointments of patients (which I couldn't do with my self registered user)
I can takeover any user by just knowing the username.
FirstBlood ID: 27
Vulnerability Type: Application/Business Logic
It is possible to edit the admins password (dradmin) from /drapi/editpassword as it's only looking for the username. Usernames can be enumerated when logging in as trying 'drAdmin' results in a different error. The username can also be found from FirstBlood v1.