Full Account Takeover.

[r4vanan]

Describe your problem

i cloned and test the webpage
I found the vulnerability which takeover any users passwords including admin password.
when i try to find the idor like bug. I found this password reset is in the url like http://127.0.0.1:8000/admin/edit-user/user
in security tab which shown in this picture

i reset admin password with following steps

Steps to reproduce the problem

• create the user with author privilege.
• login into the user.
• Click on profile.
• after that click on the security tab which is like in the about image
• Type the new password and confirm password
• Intercept the request in the Burpsuite.
• there is a put request is going on for reset the password which the username provided on the link
• here is the request which is i made to reset the password of admin

PUT /api/users/<existing usernames to reset> HTTP/1.1
Host: 127.0.0.1:8000

• it works on that users token without any error

Bludit version

Just cloned the repo so I am not sure

Hosting or Webserver name

php webserver

PHP version

PHP 8.2.4 (cli) (built: Mar 15 2023 15:27:52) (NTS)

[r4vanan]

Here is the poc video link for that vuln
https://mega.nz/file/v4UWFYhY#-45t62DbtnIMVYFw-MlWJXfVraS6MaQZ83BoGCDqjuQ