Content Management System Development, an important and crucial step is the account authentication implementations. The authentication function can manage the user login behavior and conversation, to make a valid login access control. Typically, this authentication function generally consists of a username and password to achieve, but in practical application scenarios, some of the important content management system there are still serious authentication vulnerability. For example, I tested the Yahoo small business platform Luminate to. Luminate: a former picture advertising company, after Yahoo 2014 9 on acquisition, with Yahoo small business services platform integration, and jointly promote Yahoo advertising and Small Business customer service. Forgot Password feature In my evening routine involved in the vulnerability to the public test project, I decided to research the Luminate password forgotten processing functions. Sure enough, they have a reset user password method: ! The method of the basic process is as follows: First, the user to a Yahoo server to submit e-mail address, to inform the server yourself forget the password of: POST /forgotpassword HTTP/1.1 Host: login.luminate.com ontent-Type: application/x-www-form-urlencoded Content-Length: 861 Connection: close Upgrade-Insecure-Requests: 1 email@example.com The server will be based on the submitted request of the user to create a one-time token, and sent to the user mailbox: https://login.luminate.com/passwordreset?sign=TMaJJnAjigfnprxqbcfnuBK8eJmJL2PHFByAA8OblfyHdZvxhXkeTmo5G_V1TNabJHUmSR9OSeYAnzm-yAlKbUfCYLsCQtrZnZF2IxCotLh_VEn7Px6nVTA3Sm_fF9t490t_x9-t1xKcVqRPLOgQGSHb3wXYBevsypDblPoO1c4 The user will use this one-time token to verify their identity, and password reset operations: POST /passwordreset HTTP/1.1 Host: login.luminate.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.5 Content-Type: application/x-www-form-urlencoded Content-Length: 463 onnection: close Upgrade-Insecure-Requests: 1 password=password&cpassword=password&uuid=6491c80b-2850-4d9c-9061-73a6122b3dca&sign=TMaJJnAjigfnprxqbcfnuBK8eJmJL2PHfbyaa8oblfyhdzvxhxketmo5g_v1tnabjhumsr9oseyanzm-yAlKbUfCYLsCQtrZnZF2IxCotLh_VEn7px6nvta3sm_ff9t490t_x9-t1xKcVqRPLOgQGTiD-OCPPqBlpAWpi4yXgz0firstname.lastname@example.org Experimental This password reset method is very interesting because it contains some other no need of additional parameters. In the above process the second step, in order to exclude the use of data speculation to initiate the password reset attack, the server according to the user's mailbox address to generate a security key of the sign parameters. Strictly speaking, the sign parameter is a password reset the only necessary parameters, the other parameters are just system of the auxiliary data. In the above process in the third step, it can be seen in the actual password reset requirements, users can actually modify the“email”and the“uuid”parameter, this is a very interesting place, because it may be associated with the user authentication related. With a little study, I found that to modify the email parameters fundamental to no avail, it just played a visual prompt effect. ! Then, the“uuid”parameter is what? Again whetted my interest. If the sign parameter is a must, then this unique user uuid parameter and what is the role? From a programming development standpoint, I think the developers at beyond the ordinary imagination when designing the system, it may be the use of sign parameters to identify and obtain data, the data stored in the hidden a hidden field, then on these data for further analysis to verify. "uuid" value="6491c80b-2850-4d9c-9061-73a6122b3dca" type="hidden"> Use discovery questions to attack the test According to the above assumptions and the experiment shows that the uuid is associated with the user account ID associated with the parameter. If the parameters can be used, I think you do not need with the sign parameter matching, you can use other person's user ID for password reset. In order to verify this attack to guess, I'm using a test account“email@example.com”password reset information submitted, which generates a UUID: 1231c32b-2850-4e9c-9061-42k3022b3dcd; and 另一个测试账号为我自己的samwcurry@gmail.com, the generated UUID is: 6491c80b-2850-4d9c-9061-73a6122b3dca it. When the“firstname.lastname@example.org”产生的UUID替换成我自己账号samwcurry@gmail.com生成的UUID后 according to the above reset process operation, the use of BurpSuite submitted to the server after modifying the POST request, 最终samwcurry@gmail.com账号对应的密码竟然以账号attacker@attacker.com身份被成功重置了, GOD: the ! The question summed up is this: uuid is associated with each user account associated with the authentication parameters, in the password reset request when it is submitted may be modified, the password reset operation with the sign parameter is irrelevant. Exploit ideas Back to article the beginning, a user name and password are the authentication of important way, of course, the master password will be able to control account. And the uuid and the account password reset related, of course, in other words, if you are aware of uuid, but also can control the account. Assume that the attack scenario is as follows: ! Although the uuid value to obtain the presence of the difficulty, but this attack scenario can also be described the Yahoo small business platform authentication vulnerabilities. Once the attacker gets the uuid, you can use this attack repeatedly the password reset attack, until it is completely take over control of the account. Vulnerability report timeline 2017 6 November 14 – to the Yahoo vulnerability the beginning of the message 2017 6 November 14 – Yahoo aspects of the vulnerability to verify classification 2017 6 May 15 – bug fixes 2017 6 March 25 – published vulnerabilities, waiting for the bounty. This exploits the presence of a certain premise, Express the idea of the for testing purposes only reference.