FirstBlood-#788 — Unexpected registered users
This issue was discovered on FirstBlood v2
On 2021-10-28, axe Level 4 reported:
many thanks to my friend for giving me the right direction.
I am really thankful to zseano, for organizing this bounty event, which made me learn a lot.
He has taught me the importance of reading the rules and the groundbreaking thinking and grasp of detail needed to dig for loopholes!!!!
have been very excited because of this discovery.
At first I had a guess at the end of registering users. I found out that when I entered the
drAdminuser and the
1111invitation code. This is the administrator account and you are not allowed access.
This lets us know that thedrAdmin
user exists and still hasadministrator` privileges.
During this time I also read the full report disclosed by v1. I know this invite code was found in v1 through a google search.
But after a long time of testing I didn't test successfully. Until today my friend gave me the right direction, he told me to read the rules of v2 carefully
After I carefully read the rules of v2, I found a lot of fonts are shown in bold.
After careful observation, I found that the
testcharacter is different from the others. Normally, the boldness of the font is
testingtogether with boldness. But this
testis different. It is bolded separately. So I tested this
testas a username and invitation code together. I didn't expect it to work! I'm so happy that my long-standing login problem is finally solved!
FirstBlood ID: 24
Vulnerability Type: Auth issues
The old invite code was deleted but when testing FirstBlood v2 the developers accidentally left the test code working.