FirstBlood-#448Normal doctor can update other users' password
This issue was discovered on FirstBlood v2



On 2021-10-25, kinako Level 5 reported:

Dear FirstBlood security team, I found a vulnerability on your service. I hope this report will help you.

Summary

/drpanel/drapi/editpassword.php endpoint accepts any API request and it leads to admin Account Take Over(ATO)

Vulnerability Description(PoC)

First of all, we can see a JS snippet in /drpanel/index.php

    /* to do
 function editpassword(username) {
 var xhr = new XMLHttpRequest();
 xhr.open("POST", '', true);
 xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");

 xhr.onreadystatechange = function() {
     if (this.readyState === XMLHttpRequest.DONE && this.status === 200) {
         alert(this.responseText);
         } else {

         }
     }

 xhr.send();
 } */

This means there is an API about password edit or update.

After some test, I found /drpanel/drapi/editpassword.php endpoint.

And that JavaScript code also says that we need these things:

  • Content-Type: application/x-www-form-urlencoded
  • POST method
  • username parameter

Next, if we send a request with correct HTTP headers and username param, then we can update their password without any authorization process!!

Finally, I can take over drAdmin's account.

Note: this screenshot shows that this is not a normal doctor account because there is no Warning: As your account has been recently registered you will not be able to view patient information yet. message.

Impact

  • all doctors can take over other doctor's account, even admin account!

Regards, kinako

P1 CRITICAL

Endpoint: /drpanel/drapi/editpassword.php

Parameter: username

Payload: username=drAdmin


FirstBlood ID: 27
Vulnerability Type: Application/Business Logic

It is possible to edit the admins password (dradmin) from /drapi/editpassword as it's only looking for the username. Usernames can be enumerated when logging in as trying 'drAdmin' results in a different error. The username can also be found from FirstBlood v1.