FirstBlood-#837 — Change user passwords at will to enable account takeover
This issue was discovered on FirstBlood v2.0.0 (issues patched)
On 2021-10-29, 2022isnew Level 2 reported:
Discovery process: register user Axe -> after successful login, visit the HTML code of
/drpanel/index.phpendpoint -> discover sensitive information
Test sensitive endpoint
registered user Jam
Login successfully, visit the HTML code of
Sensitive information found.
Why do you think this is sensitive information? It's because of the
/* */js comment character and noting that the
Since there is no place to call this method as well as pass the username parameter, priority is given to trying files with this name.
As well as the general case of writing code in the background, developers generally send the request path to the back end for the front end to process the function name is the same. So it was thought to access the
/drpanel/drapi/editpassword.phpfile with the
The reason why the path is
/drpanel/drapi/is because the code already tells this path!!!
Found that jam's password has been updated
Log out of the login and use the new password to log in to your account.
Then we can try to update the password of the administrator
Update administrator password -> Update successfully
Login to admin account ->
tF2qCgs9XWOaUyY-> Login successful
- change user passwords at will to enable account takeover !!!
FirstBlood ID: 27
Vulnerability Type: Application/Business Logic
It is possible to edit the admins password (dradmin) from /drapi/editpassword as it's only looking for the username. Usernames can be enumerated when logging in as trying 'drAdmin' results in a different error. The username can also be found from FirstBlood v1.