FirstBlood-#857 — Changing Anyone's Password Including drAdmin (As a Non-authenticated user)
This issue was discovered on FirstBlood v2
On 2021-10-29, th4nu0x0 Level 2 reported:
Summary:
- After finding a way to register and login, On the dashboard source-code (view-source) I found a commented JavaScript code which was named as to-do which seems to be a password change functionality. By using the code I tried to make request to the endpoint
POST /drpanel/drapi/editpassword.php
with a username surprisingly the password of the account got updated and new password displayed on response.
- So I tried to update the
drAdmin
password and it was updated and new password was shown in response
- And Finally I tried to remove cookie's to see if it is accessible to non-authenticated users surprisingly yes password's can be changed by anyone.
Non-authenticated User:
Authenticated User:
Steps To Reproduce:
- Create a POST Request to
POST /drpanel/drapi/editpassword.php
- On body ad
username=drAdmin
- Send the request
Impact:
Changing password of any account including drAdmin
as non-authenticated user.
P1 CRITICAL
Endpoint: /drpanel/drapi/editpassword.php
This report contains multiple vulnerabilities:
FirstBlood ID: 27
Vulnerability Type: Application/Business Logic
It is possible to edit the admins password (dradmin) from /drapi/editpassword as it's only looking for the username. Usernames can be enumerated when logging in as trying 'drAdmin' results in a different error. The username can also be found from FirstBlood v1.
FirstBlood ID: 28
Vulnerability Type: Auth issues
The endpoint /drapi/editpassword can actually be accessed unauthenticated.