FirstBlood-#788Unexpected registered users
This issue was discovered on FirstBlood v2.0.0 (issues patched)



On 2021-10-28, 2022isnew Level 2 reported:

Summary

  1. many thanks to my friend for giving me the right direction.

  2. I am really thankful to zseano, for organizing this bounty event, which made me learn a lot.

  3. He has taught me the importance of reading the rules and the groundbreaking thinking and grasp of detail needed to dig for loopholes!!!!

  4. have been very excited because of this discovery.

Steps

  1. At first I had a guess at the end of registering users. I found out that when I entered the drAdmin user and the 1111 invitation code. This is the administrator account and you are not allowed access.This lets us know that thedrAdminuser exists and still hasadministrator` privileges.

  2. During this time I also read the full report disclosed by v1. I know this invite code was found in v1 through a google search.

  3. But after a long time of testing I didn't test successfully. Until today my friend gave me the right direction, he told me to read the rules of v2 carefully

  4. After I carefully read the rules of v2, I found a lot of fonts are shown in bold.

  5. After careful observation, I found that the test character is different from the others. Normally, the boldness of the font is testing together with boldness. But this test is different. It is bolded separately. So I tested this test as a username and invitation code together. I didn't expect it to work! I'm so happy that my long-standing login problem is finally solved!

P3 Medium

Endpoint: /register.php

Parameter: inviteCode

Payload: NA


FirstBlood ID: 24
Vulnerability Type: Auth issues

The old invite code was deleted but when testing FirstBlood v2 the developers accidentally left the test code working.