FirstBlood-#97 — Registring to the application as a doctor due to the leaked invitation code [COLLAB]
This issue was discovered on FirstBlood v1
On 2021-05-10, holybugx Level 5 reported:
Description
Hello Sean,
I found out that any user can register to the application due to the leaked invitation code in a Reddit forum, seems like a doctor had posted his invitation code in a Reddit forum linked here which enables any user to create his own doctor account.
- Then invite code:
F16CA47250E445888824A9E63AE445CE
Steps to reproduce
Opening the /register.php
endpoint asks for a username and a unique Invite code, as we already have the invite code we can choose our own doctor name and get a password for it:
then you can hit the /login.php
endpoint and log in with your chosen username and the given password.
You can see that you are registered and logged in to the application successfully.
Account takeover of valid existing doctors
I think there is also another application logic problem here besides the info leak mentioned above, according to /register.php
in the invite code field, it's called "Unique invite code" meaning that the invite code given to a doctor should only work for his username but not with any other username, this check is skipped in the application and any user can choose his own username with the leaked invite code to register to the application.
This security misconfiguration enables an attacker to use a known valid doctor username (besides drAdmin
) and to reset his password, therefore the doctor will be logged out of his account and we can log in with the new password generated by the server, and the old password won't work. This leads to an Account takeover of existing doctors.
Impact
- Anyone can register as a new doctor and access the doctor's portal
- Doctor's account takeover
Kind Regards,
HolyBugx
P2 High
This report contains multiple vulnerabilities:
FirstBlood ID: 15
Vulnerability Type: Auth issues
A doctors invite code is leaked on the internet which if used grants anyone access to the doctor portal. The invite code should expire after use.
FirstBlood ID: 17
Vulnerability Type: Auth issues
Unintended: An account with the same username can be created which leads to the original account being deleted and replaced with the attackers