FirstBlood-#1001 — Admin Account takeover
This issue was discovered on FirstBlood v3
On 2022-12-08, didsec Level 5 reported:
Getting started
Learn about vulnerability types 
Getting started in bug bounties 
Test your knowledge
Free Web Application Challenges
BugBountyHunter Membership
Guides for your hunts 
ZSeano's Methodology
Effective Note Taking for bug bounties
Useful Resources 
Disclosed HackerOne Reports 
Our community
Endorsed Members
Hackevents 
Member Articles
Hi there
I found it is possible change the password of the admin account by sending a POST request to /drpanel/drapi/editpassword.php as it's only looking for the username this works even if unauthenticated
To reproduce :
- Visit https://firstbloodhackers.com/drpanel/drapi/editpassword.php and intercept the request
- Change the request to a POST request
- Add the body parameters
username=admin and forward the request
- We are given a new password
- Go to to the login page and login we now have access the Admin account
P1 CRITICAL
FirstBlood ID: 52
Vulnerability Type: Auth issues
The endpoint /drpanel/drapi/editpassword.php still allows an unauthenticated user to modify the password of any account if the username is known. The username was renamed from previous versions from drAdmin to admin
Report Feedback
Creator & Administrator
Congratulations you were the second user to discover this bug :-)