FirstBlood-#809An account with the same username can be created which leads to the original account being deleted and replaced with the attackers
This issue was discovered on FirstBlood v2



On 2021-10-28, xnl-h4ck3r Level 4 reported:

Summary

In version 1 of First Blood, an account with the same username could be created which leads to the original account being deleted and replaced with the attackers. This doesn't to have been fixed. As long as a new user is created between the first and the replacement, it is accepted and overwriten

Steps to reproduce

  1. Go to /register.php and enter a Username of xnluser1 and the Unique invite code of test to create a new account:

  2. Try to enter the same Username of xnluser1 and the Unique invite code of test again to replace that account. This now fails because it has been "fxed":

  3. Now create a different user, e.g. xnluser2 which is successful:

  4. Now enter a Username of xnluser1 and the Unique invite code of test (as done in Step 1 and Step 2), but this time the registration is successful and a new password is given for the account xnluser1:

Impact

An attacker can register with a user name that already exists and replace that account.

P3 Medium

Endpoint: /register.php

Parameter: username

Payload: n/a


FirstBlood ID: 24
Vulnerability Type: Auth issues

The old invite code was deleted but when testing FirstBlood v2 the developers accidentally left the test code working.