FirstBlood-#741[COLLAB] Password change endpoint leads to ATO of drAdmin account.
This issue was discovered on FirstBlood v2.0.0 (issues patched)



On 2021-10-27, amec0e Level 3 reported:

Hi mate,

after using a previous report of mine where we register as a doctor, on the endpoint /drpanel/index.php this shows a commentd out section which allows us to change our passwords, using this and a crafted request we can successfully change the password of admin and drAdmin which leads to an account takeover of the drAdmin account.

Impact:

Allows a newly registered doctor to change the password of the drAdmin account, leading to an account takeover.

NOTE: Doesn't require a doctors account and can be done by any unauthenticated user!

Steps to Reproduce:

  • Using our previous report to Registering as a new doctor Create an account and visit the endpoint /login.php.
  • Once logged in right click and "View page source" and you will see the comment.

  • Now in burpsuite visit the endpoint /drpanel/drapi/editpassword.php
  • Right click the Recent GET request in burpsuite and click "Send to Repeater"
  • Change request method from GET to POST and add the header Content-Type: application/x-www-form-urlencoded
  • Add the body parameters username=drAdmin&password=letmein and click "Send"

You will see the password has been changed and we can now access the drAdmin account.

In Collaboration with thebinarybot

P1 CRITICAL

Endpoint: /editpassword.php

Parameter: NA

Payload: NA


FirstBlood ID: 27
Vulnerability Type: Application/Business Logic

It is possible to edit the admins password (dradmin) from /drapi/editpassword as it's only looking for the username. Usernames can be enumerated when logging in as trying 'drAdmin' results in a different error. The username can also be found from FirstBlood v1.