FirstBlood-#857 — Changing Anyone's Password Including drAdmin (As a Non-authenticated user)
This issue was discovered on FirstBlood v2.0.0 (issues patched)
On 2021-10-29, th4nu0x0 Level 2 reported:
POST /drpanel/drapi/editpassword.phpwith a username surprisingly the password of the account got updated and new password displayed on response.
- So I tried to update the
drAdminpassword and it was updated and new password was shown in response
- And Finally I tried to remove cookie's to see if it is accessible to non-authenticated users surprisingly yes password's can be changed by anyone.
Steps To Reproduce:
- Create a POST Request to
- On body ad
- Send the request
Changing password of any account including
drAdminas non-authenticated user.
/drpanel/drapi/editpassword.php This bug makes use of the following vulnerabilities in a chain:
FirstBlood ID: 27
Vulnerability Type: Application/Business Logic
It is possible to edit the admins password (dradmin) from /drapi/editpassword as it's only looking for the username. Usernames can be enumerated when logging in as trying 'drAdmin' results in a different error. The username can also be found from FirstBlood v1.
FirstBlood ID: 28
Vulnerability Type: Auth issues
The endpoint /drapi/editpassword can actually be accessed unauthenticated.