Lucene search
+L

shopex 4.8.5密码取回处新生成密码可预测漏洞

🗓️ 14 Oct 2011 00:00:00Reported by RootType 
seebug
 seebug
🔗 www.seebug.org👁 13 Views

shopex 4.8.5密码取回处新生成密码可预测漏

Code

                                                要成功利用这个漏洞需要满足以下条件:

触发密码取回流程,这需要回答安全问题或者是用户注册邮箱填写正确;而shopex默认用户注册是只需要邮箱而不需要填写安全问题的

在自动化验证新密码是否正确时,需要自动登录网站,而shopex的登录默认便是有验证码的。可是这个验证码的实现存在缺陷:

                if($_COOKIE["S_RANDOM_CODE"]!=md5($_POST['signupverifycode'])){

                    $this->splash('failed','back',__('验证码录入错误,请重新输入'),'','',$_POST['from_minipassport']);

                } 

验证码的验证,实际上是比对两个值,一个是Cookie S_RANDOM_CODE的值,另一个是验证码的md5,因此通过一个小trick就能够绕过shopex的验证码机制:提交验证码为1234,并自定义cookie值为md5("1234"),这个验证码的校验将永远有效。
                              

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation