ecshop a CAPTCHA bypass logic vulnerability-vulnerability warning-the black bar safety net

2015-01-24T00:00:00
ID MYHACK58:62201558355
Type myhack58
Reporter 佚名
Modified 2015-01-24T00:00:00

Description

Although the code is encrypted, but logically there is a point problem

The problem ..\includes\cls_captcha.php By the verification function can be seen directly returned, and no authentication failure processing

function check_word($word) { $recorded = isset($_SESSION[$this->session_word]) ? base64_decode($_SESSION[$this->session_word]) : "; $given = $this->encrypts_word(strtoupper($word)); //MD5 encryption processing return (preg_match("/$given/", $recorded)); //validation rules }

That is if the login fails when the NO of CAPTCHA SESSION set to empty, then it can at this time request repeated attempts to crack. The following code can be seen and no validation error when processing ..\ecshop\admin\privilege.php

if (intval($_CFG['captcha']) & CAPTCHA_ADMIN) { the include_once(ROOT_PATH . 'includes/cls_captcha.php'); / check CAPTCHA is correct / $validator = new captcha(); if (! empty($_POST['captcha']) && !$ validator->check_word($_POST['captcha'])) { sys_msg($_LANG['captcha_error'], 1); } } $_POST['username'] = isset($_POST['username']) ? trim($_POST['username']) : "; $_POST['password'] = isset($_POST['password']) ? trim($_POST['password']) : "; $sql="SELECT ec_salt FROM ". $ecs->table('admin_user') ." WHERE user_name = '" . $_POST['username']."'"; echo $sql."< br/>"; $ec_salt =$db->getOne($sql); if(! empty($ec_salt)) { / check whether the password is correct / $sql = "SELECT user_id, user_name, password, last_login, action_list, last_login,suppliers_id,ec_salt". "FROM" . $ecs->table('admin_user') . "WHERE user_name = '" . $_POST['username']. "' AND password = '" . md5(md5($_POST['password']).$ ec_salt) . "'"; } else { / check whether the password is correct / $sql = "SELECT user_id, user_name, password, last_login, action_list, last_login,suppliers_id,ec_salt". "FROM" . $ecs->table('admin_user') . "WHERE user_name = '" . $_POST['username']. "' AND password = '" . md5($_POST['password']) . "'"; } $row = $db->getRow($sql); if ($row) {....}

!