FirstBlood-#924AppLogic when registering as a doctor using invite code
This issue was discovered on FirstBlood v2.0.0 (issues patched)



On 2021-10-30, mrrootsec Level 2 reported:

Description :

As per the application behavior using invite code doctor can register one time. But if invite code used again to create another user,application will delete previous registered user.Which will impact on business requirements.

Steps to Reproduce the issue :

  1. Navigate to /register.php.
  2. Now provide the username as "mrroot" to register by using invite code test
  3. Application validates invite code and provides the access credentials. Take note of the credentials.
  4. Again register with different username[ mrroot2 ] but same invite code . you will get the login credentials for this user too.
  5. Now go to /login.php and provide the login credentials first registered user [ mrroot ]. Application throws an error saying User is not Exist
  6. We can verify this if this doctor exist or not using /drpanel/drapi/editpassword.php endpoint which update password for doctor's so it response like this if user is valid this endpoint update it's password
  7. If we try with user[ mrroot ],it will shows user not found ! .Which means user is not existed in the application anymore.But if we provide [ mrroot2],it will provide the updated password.Which means the user [ mrroot ] is deleted when user [mrroot2] is registered.

Impact:

  1. As an attacker using leaked invite code, attacker can abuse this by registering for new account which is not good for already registered doctor.

Remediation / Fix :

  1. Invite code should be expired after using one time

Thanks and Regards

MOHAMMAD SAQLAIN

P3 Medium

Endpoint: NA

Parameter: NA

Payload: NA


FirstBlood ID: 24
Vulnerability Type: Auth issues

The old invite code was deleted but when testing FirstBlood v2 the developers accidentally left the test code working.