漏洞详情

披露状态:

2014-01-16: 细节已通知厂商并且等待厂商处理中
2014-01-16: 厂商已经确认,细节仅向厂商公开
2014-01-19: 细节向第三方安全合作伙伴开放
2014-01-26: 细节向核心白帽子及相关领域专家公开
2014-02-05: 细节向普通白帽子公开
2014-02-25: 细节向实习白帽子公开
2014-04-16: 细节向公众公开

简要描述:

PHPYUN设计缺陷验证码形同虚设

详细说明:

所有地方的验证码 验证后都未进行过期操作。导致验证码形同虚设

以找回密码为例

model/forgetpw.class.php

function sendpw_action()
{
if(md5($_POST["authcode"])!=$_SESSION['authcode']){
$this->obj->ACT_msg("index.php?M=forgetpw","验证码错误","2");
}
$pass =array("A","B","C","D","E","F","G","H","I","J","K","L","M","N","O","P","Q","R","S","T","U","V","W","X","Y","Z","a","b","c","d","e","f","g","h","i","g","k","l","m","n","o","p","q","r","s","t","u","v","w","x","w","z","1","2","3","4","5","6","7","8","9","0");
$len = rand(8,12);
for($i=0;$i<$len;$i++)
{
$k = rand(0,36);
$password.=$pass[$k];
}
$info = $this->obj->DB_select_once("member","`username`='".$_POST["username"]."'");
if(is_array($info))
{
if($this->config['sy_uc_type']=="uc_center" &&$info['name_repeat']!="1")
{
$this->obj->uc_open();
uc_user_edit($info['username'], "", $password, $info['email'],"0");
}else{
$salt = substr(uniqid(rand()), -6);
$pass2 = md5(md5($password).$salt);
$value="`password`='".$pass2."',`salt`='".$salt."'";
$this->obj->DB_update_all("member",$value,"`username`='".$_POST["username"]."'");
}
$this->send_msg_email(array("username"=>$_POST["username"],"password"=>$password,"email"=>$info['email'],"moblie"=>$info['moblie'],"type"=>"getpass"));
$this->obj->ACT_msg("index.php?M=forgetpw", $msg = "新密码已发送到您的邮箱,请查收后登录系统修改密码!", $st = 2, $tm = 3);
}else{
$this->obj->ACT_msg("index.php?M=login", $msg = "对不起!没有该用户!", $st = 2, $tm = 3);
}
}





这里验证通过和输入错误后都没有unset session 导致之前的验证码不会过期可以重复使用。

从而只要得知用户邮箱 即可批量帮别人修改密码!

漏洞证明:

我这里就不用Bp跑了!

输入邮箱 就可以重置用户密码,怎么都觉得不是很妥,万一用户是假邮箱注册的 岂不是这么一搞密码就永远不知道了啊?

修复方案:

验证码不管用户对还是错,都应该过期重新让用户输入!

版权声明:转载请注明来源 齐迹@乌云


漏洞回应

厂商回应:

危害等级:低

漏洞Rank:5

确认时间:2014-01-16 16:14

厂商回复:

我们会完善这一块!

最新状态:

暂无


漏洞评价: