FirstBlood-#741 — [COLLAB] Password change endpoint leads to ATO of drAdmin account.
This issue was discovered on FirstBlood v2.0.0 (issues patched)
On 2021-10-27, amec0e Level 3 reported:
after using a previous report of mine where we register as a doctor, on the endpoint
/drpanel/index.phpthis shows a commentd out section which allows us to change our passwords, using this and a crafted request we can successfully change the password of
drAdminwhich leads to an account takeover of the drAdmin account.
Allows a newly registered doctor to change the password of the drAdmin account, leading to an account takeover.
NOTE: Doesn't require a doctors account and can be done by any unauthenticated user!
Steps to Reproduce:
- Using our previous report to Registering as a new doctor Create an account and visit the endpoint
- Once logged in right click and "View page source" and you will see the comment.
- Now in burpsuite visit the endpoint
- Right click the Recent GET request in burpsuite and click "Send to Repeater"
- Change request method from
POSTand add the header
- Add the body parameters
username=drAdmin&password=letmeinand click "Send"
You will see the password has been changed and we can now access the drAdmin account.
In Collaboration with thebinarybot
FirstBlood ID: 27
Vulnerability Type: Application/Business Logic
It is possible to edit the admins password (dradmin) from /drapi/editpassword as it's only looking for the username. Usernames can be enumerated when logging in as trying 'drAdmin' results in a different error. The username can also be found from FirstBlood v1.