Summary:

Hi!

After I checked the editpassword.php endpoint, it appeared to me that the response strongly differs once an invalid username is submitted.

This can help in identifying new users and use the same endpoint to reset their passwords.

Possible cause:

Verbose messages were probably left on so that the developers could check whether a user exists or not, but apparently did not remove it when it was pushed to production.

Impact:

I'm able to identify usernames thanks to the messages the server responds with.

Steps to reproduce:

1) Replicate the following request:

POST /drpanel/drapi/editpassword.php HTTP/1.1
Host: 2c724b2992e1-0xblackbird.a.firstbloodhackers.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 14

username={username}

2) Send the request using a non-existing username 3) You'll notice that whenever we submit a request to the endpoint. It tells us whether the username is valid or non-existing:

Mitigation

I recommend returning more generic messages to not allow malicious users to enumerate usernames.

Have a great day!

Kind regards, 0xblackbird