BugBountyHunter

Hi mate,

after using a previous report of mine where we register as a doctor, on the endpoint /drpanel/index.php this shows a commentd out section which allows us to change our passwords, using this and a crafted request we can successfully change the password of admin and drAdmin which leads to an account takeover of the drAdmin account.

Impact:

Allows a newly registered doctor to change the password of the drAdmin account, leading to an account takeover.

NOTE: Doesn't require a doctors account and can be done by any unauthenticated user!

Steps to Reproduce:

• Using our previous report to Registering as a new doctor Create an account and visit the endpoint /login.php.
• Once logged in right click and "View page source" and you will see the comment.

• Now in burpsuite visit the endpoint /drpanel/drapi/editpassword.php
• Right click the Recent GET request in burpsuite and click "Send to Repeater"
• Change request method from GET to POST and add the header Content-Type: application/x-www-form-urlencoded
• Add the body parameters username=drAdmin&password=letmein and click "Send"

You will see the password has been changed and we can now access the drAdmin account.

In Collaboration with thebinarybot