WSS is the latest version of any user of the password reset(official demo demo-the vulnerability warning-the black bar safety net

ID MYHACK58:62201457548
Type myhack58
Reporter 佚名
Modified 2014-12-31T00:00:00


WSS latest version of the design flaws lead to arbitrary user password reset, including the administrator

文件 user_edit_password.php

code area

<? php require_once('config/tank_config.php'); ?>

<? php require_once('session_unset.php'); ?>

<? php require_once('session.php'); ?>

<? php

$editFormAction = $_SERVER['PHP_SELF'];

if (isset($_SERVER['QUERY_STRING'])) {

$editFormAction .= "?" . htmlentities($_SERVER['QUERY_STRING']);


$password = "-1";

if (isset($_POST['tk_user_pass'])) {

$password = $_POST['tk_user_pass'];


$tk_password = md5(crypt($password,substr($password,0,2)));

if ((isset($_POST["MM_update"])) && ($_POST["MM_update"] == "form1")) {

$updateSQL = sprintf("UPDATE tk_user SET tk_user_pass=%s WHERE uid=%s",

GetSQLValueString($tk_password, "text"),

GetSQLValueString($_POST['ID'], "int"));

mysql_select_db($database_tankdb, $tankdb);

$Result1 = mysql_query($updateSQL, $tankdb) or die(mysql_error());

This file and function to modify the user password, the present is a background administrator permissions

However, due to a design flaw, caused not determine the user permissions, resulting in all the user can reset any user password

By POST[ID]to reset the corresponding user password.

Vulnerability to prove:

Official demo demo:

Official demo test account is a read-only account

Here we use vulnerability can reset the admin user password

! 1. png

Successfully saved

If the UID is incorrect, an error is returned, no permissions, but does not affect password reset

Here the test user UID=7

After reset, the admin user login:

! 2. png

Repair options:

[1] [2] next