FirstBlood-#857Changing Anyone's Password Including drAdmin (As a Non-authenticated user)
This issue was discovered on FirstBlood v2.0.0 (issues patched)



On 2021-10-29, th4nu0x0 Level 2 reported:

Summary:

  • After finding a way to register and login, On the dashboard source-code (view-source) I found a commented JavaScript code which was named as to-do which seems to be a password change functionality. By using the code I tried to make request to the endpoint POST /drpanel/drapi/editpassword.php with a username surprisingly the password of the account got updated and new password displayed on response.
  • So I tried to update the drAdmin password and it was updated and new password was shown in response
  • And Finally I tried to remove cookie's to see if it is accessible to non-authenticated users surprisingly yes password's can be changed by anyone.

Non-authenticated User:

Authenticated User:

Steps To Reproduce:

  • Create a POST Request to POST /drpanel/drapi/editpassword.php
  • On body ad username=drAdmin
  • Send the request

Impact:

Changing password of any account including drAdmin as non-authenticated user.

P1 CRITICAL

Endpoint: /drpanel/drapi/editpassword.php This bug makes use of the following vulnerabilities in a chain:

  • Auth issues
  • Auth issues


FirstBlood ID: 27
Vulnerability Type: Application/Business Logic

It is possible to edit the admins password (dradmin) from /drapi/editpassword as it's only looking for the username. Usernames can be enumerated when logging in as trying 'drAdmin' results in a different error. The username can also be found from FirstBlood v1.

FirstBlood ID: 28
Vulnerability Type: Auth issues

The endpoint /drapi/editpassword can actually be accessed unauthenticated.