BugBountyHunter

Dear FirstBlood security team, I found a vulnerability on your service. I hope this report will help you.

Summary

/drpanel/drapi/editpassword.php endpoint accepts any API request and it leads to admin Account Take Over(ATO)

Vulnerability Description(PoC)

First of all, we can see a JS snippet in /drpanel/index.php

    /* to do
 function editpassword(username) {
 var xhr = new XMLHttpRequest();
 xhr.open("POST", '', true);
 xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");

 xhr.onreadystatechange = function() {
     if (this.readyState === XMLHttpRequest.DONE && this.status === 200) {
         alert(this.responseText);
         } else {

         }
     }

 xhr.send();
 } */

This means there is an API about password edit or update.

After some test, I found /drpanel/drapi/editpassword.php endpoint.

And that JavaScript code also says that we need these things:

• Content-Type: application/x-www-form-urlencoded
• POST method
• username parameter

Next, if we send a request with correct HTTP headers and username param, then we can update their password without any authorization process!!

Finally, I can take over drAdmin's account.

Note: this screenshot shows that this is not a normal doctor account because there is no Warning: As your account has been recently registered you will not be able to view patient information yet. message.

Impact

• all doctors can take over other doctor's account, even admin account!

Regards, kinako