FirstBlood-#1053Editpassword.php allows anyone to edit any user's passwords
This issue was discovered on FirstBlood v3



On 2022-12-08, 0xblackbird Level 5 reported:

Summary:

Hi mate!

I hope you're doing well today!

I found out that the endpoint from firstblood v2 was still not patched. The endpoint /drpanel/drapi/editpassword.php is still available and is still able to change passwords of any user!

Possible cause:

There aren't any checks in place that cross-check whether I'm authorized to reset someone else's password or not

Impact:

I was able to takeover anyone's account as no privileges were required. As long as I had their username (but that isn't an issue).

Steps to reproduce:

Proof of concept endpoint: /drpanel/drapi/editpassword

1) Spin up firstblood v3 if you haven't already 2) Send the following POST request:

POST /drpanel/drapi/editpassword.php HTTP/1.1
Host: {HOST}
Content-Type: application/x-www-form-urlencoded
Content-Length: 14
username=admin

3) The response should contain a newly generated password

Mitigation

I highly recommend adding authorization checks in place to fully mitigate this issue and to ensure that no one gets to reset another user's password again.

Thanks for hosting such an awesome event again!

Kind regards, 0xblackbird

P1 CRITICAL

Endpoint: /drpanel/drapi/editpassword.php

Parameter: username

Payload: {username}


FirstBlood ID: 52
Vulnerability Type: Auth issues

The endpoint /drpanel/drapi/editpassword.php still allows an unauthenticated user to modify the password of any account if the username is known. The username was renamed from previous versions from drAdmin to admin