当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(1) 关注此漏洞

缺陷编号: WooYun-2014-49064

漏洞标题: PHPYUN设计缺陷验证码形同虚设

相关厂商: php云人才系统

漏洞作者: 齐迹

提交时间: 2014-01-16 15:23

公开时间: 2014-04-16 15:23

漏洞类型: 设计缺陷/逻辑错误

危害等级: 低

自评Rank: 3

漏洞状态: 厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 help@wooyun.org

Tags标签: 逻辑错误

1人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-01-16: 细节已通知厂商并且等待厂商处理中
2014-01-16: 厂商已经确认,细节仅向厂商公开
2014-01-19: 细节向第三方安全合作伙伴开放(绿盟科技唐朝安全巡航无声信息
2014-03-12: 细节向核心白帽子及相关领域专家公开
2014-03-22: 细节向普通白帽子公开
2014-04-01: 细节向实习白帽子公开
2014-04-16: 细节向公众公开

简要描述:

PHPYUN设计缺陷验证码形同虚设

详细说明:

所有地方的验证码 验证后都未进行过期操作。导致验证码形同虚设

以找回密码为例

model/forgetpw.class.php

code 区域
function sendpw_action()


	{


		if(md5($_POST["authcode"])!=$_SESSION['authcode']){


			$this->obj->ACT_msg("index.php?M=forgetpw","验证码错误","2");


		}


		$pass =array("A","B","C","D","E","F","G","H","I","J","K","L","M","N","O","P","Q","R","S","T","U","V","W","X","Y","Z","a","b","c","d","e","f","g","h","i","g","k","l","m","n","o","p","q","r","s","t","u","v","w","x","w","z","1","2","3","4","5","6","7","8","9","0");


		$len = rand(8,12);


		for($i=0;$i<$len;$i++)


		{


			$k = rand(0,36);


			$password.=$pass[$k];


		}


		$info = $this->obj->DB_select_once("member","`username`='".$_POST["username"]."'");


		if(is_array($info))


		{


			if($this->config['sy_uc_type']=="uc_center" &&$info['name_repeat']!="1")


			{


				$this->obj->uc_open();


				uc_user_edit($info['username'], "", $password, $info['email'],"0");


			}else{


				$salt = substr(uniqid(rand()), -6);


				$pass2 = md5(md5($password).$salt);


				$value="`password`='".$pass2."',`salt`='".$salt."'";


				$this->obj->DB_update_all("member",$value,"`username`='".$_POST["username"]."'");


			}


			$this->send_msg_email(array("username"=>$_POST["username"],"password"=>$password,"email"=>$info['email'],"moblie"=>$info['moblie'],"type"=>"getpass"));


			$this->obj->ACT_msg("index.php?M=forgetpw", $msg = "新密码已发送到您的邮箱,请查收后登录系统修改密码!", $st = 2, $tm = 3);


		}else{


			$this->obj->ACT_msg("index.php?M=login", $msg = "对不起!没有该用户!", $st = 2, $tm = 3);


		}


	}





这里验证通过和输入错误后都没有unset session 导致之前的验证码不会过期可以重复使用。

从而只要得知用户邮箱 即可批量帮别人修改密码!

漏洞证明:

我这里就不用Bp跑了!

输入邮箱 就可以重置用户密码,怎么都觉得不是很妥,万一用户是假邮箱注册的 岂不是这么一搞密码就永远不知道了啊?

修复方案:

验证码不管用户对还是错,都应该过期重新让用户输入!

版权声明:转载请注明来源 齐迹@乌云

漏洞回应

厂商回应:

危害等级:低

漏洞Rank:5

确认时间:2014-01-16 16:14

厂商回复:

我们会完善这一块!

最新状态:

暂无

漏洞评价:

对本漏洞信息进行评价,以更好的反馈信息的价值,包括信息客观性,内容是否完整以及是否具备学习价值

漏洞评价(共0人评价):
登陆后才能进行评分

评价

登录后才能发表评论,请先 登录