FirstBlood-#809 — An account with the same username can be created which leads to the original account being deleted and replaced with the attackers
This issue was discovered on FirstBlood v2
On 2021-10-28, xnl-h4ck3r Level 4 reported:
Summary
In version 1 of First Blood, an account with the same username could be created which leads to the original account being deleted and replaced with the attackers. This doesn't to have been fixed. As long as a new user is created between the first and the replacement, it is accepted and overwriten
Steps to reproduce
-
Go to /register.php
and enter a Username of xnluser1
and the Unique invite code of test
to create a new account:
-
Try to enter the same Username of xnluser1
and the Unique invite code of test
again to replace that account. This now fails because it has been "fxed":
-
Now create a different user, e.g. xnluser2
which is successful:
-
Now enter a Username of xnluser1
and the Unique invite code of test
(as done in Step 1 and Step 2), but this time the registration is successful and a new password is given for the account xnluser1
:
Impact
An attacker can register with a user name that already exists and replace that account.
P3 Medium
Endpoint: /register.php
Parameter: username
Payload: n/a
FirstBlood ID: 24
Vulnerability Type: Auth issues
The old invite code was deleted but when testing FirstBlood v2 the developers accidentally left the test code working.