FirstBlood-#922Various authentication issues
This issue was discovered on FirstBlood v2.0.0 (issues patched)



On 2021-10-30, panya Level 7 reported:

I'm not sure about these issues since they're very minor, but still reporting them.

A session cookie for a doctor is set in the /register.php POST request's response, so a newly created doctor can use doctor panel even without logging in

Steps to reproduce:

  1. Register a doctor (e.g. with name test and invite code test).
  2. After the login creds are shown, notice that correct session cookie (drps already set by the register's request response).
  3. Navigate to /drpanel.

Actual result:

Doctor's admin panel will be shown.

Expected result:

The newly registered doctor should not be allowed to view admin panel without logging in. After navigation to /drpanel there should be redirect to the main page or login page.

Logout process on /vaccination-manager/logout.php is not working correctly.

Steps to reproduce:

  1. Login as an administrator at /vaccination-manager/login.php.
  2. Click on Secure Logout button.
  3. Visit /vaccination-manager/portal.php page again.

Actual result:

The vaccination manager admin page will be shown.

Expected result:

The user should be redirected to the main page or vaccination manager login page.

P4 Low

Parameter:

Payload:


FirstBlood ID: 43
Vulnerability Type: Application/Business Logic

The session cookie is not invalidated in the database and thus old session tokens are still valid until a new login is made and a new session token is set.

Report Feedback

@zseano

Creator & Administrator


Hi panya, you are correct that the drps cookie is set upon registering rather than logging in and this was just how the web app was designed by us. Not ideal I agree and something we will make some changes on for future events :) However the second issue of sessions not being invalidated is a genuine issue. Nice work!