B3log Solo view any user's password-vulnerability warning-the black bar safety net

ID MYHACK58:62201337041
Type myhack58
Reporter 佚名
Modified 2013-01-30T00:00:00


B3log Solo background A without reasonable permission to verify the interactive interface you can view any user information, including plaintext passwords. Currently the latest official Release 0.5.5 affected by this vulnerability, all the platform users are there is a leak the password of the threat.

Vulnerability address: http://xxx/console/user/[userId]

This interface is used to view user information, administrator user management plugin interface. The interface is only to verify whether the user is logged in, and does not verify user privileges, while ordinary users admin interface without an explicit link, but after logging in you can directly access the address to obtain information.


Repair solutions:

1, the modified plaintext password into ciphertext.

2, Add permission verification.