FirstBlood-#1073Change doctor passwords via admin API that is accessible by any doctor
This issue was discovered on FirstBlood v3



On 2022-12-08, mr_xhunt Level 8 reported:

Summary:

Since the firstblood2 had this bug where we could change the password of the doctor on the endpoint /drpanel/drapi/edipassword.php, so Simply tried it again and found it is still vulnerable and not fixed yet.

Steps to Reproduce:

  1. Make a POST request to /drpanel/drapi/editpassword.php with the POST parameter username=admin
  2. The server will respond with the new password of the user

POC:

P1 CRITICAL

Endpoint: /drpanel/drapi/editpassword.php

Parameter: username

Payload: admin


FirstBlood ID: 52
Vulnerability Type: Auth issues

The endpoint /drpanel/drapi/editpassword.php still allows an unauthenticated user to modify the password of any account if the username is known. The username was renamed from previous versions from drAdmin to admin