Admin Panel Exposure by old credentials

FirstBlood-#309 — Admin Panel Exposure by old credentials
This issue was discovered on FirstBlood v2

Even though this issue has been accepted as valid, no FirstBlood ID has been set for this bug & therefore it will not count towards unique bugs discovered. This may be because of the bug not working as intended and changes we made, something we do not consider an issue on BARKER, or the correct impact was not shown (For example only Open Redirect demonstrated when XSS was possible)

On 2021-10-25, newrouge Level 3 reported:


Hey, i found that although there is no credentials given this time but old credentials still work and leads to Admin Panel Exposure.
Steps:

GO to https://b9bc23e2ab61-newrouge.a.firstbloodhackers.com/login.php
Enter credentials  drAdmin - s2Wpx5zfUvlSZhspJ and you will have full admin panel access.


Thank you
newrouge

This report has been publicly disclosed for everyone to view

P5 Informative

Endpoint: /login.php

Parameter: N/A

Payload: drAdmin : s2Wpx5zfUvlSZhspJ

Even though this issue has been accepted as valid, no FirstBlood ID has been set for this report.

Report Feedback

@zseano

Creator & Administrator

Hi newrogue, this was something not intended for the event and we fixed it within an hour of launch so no Bug ID will be assigned but we won't reject also :)

BugBountyHunter

Steps:

Report Feedback

@zseano