After the verification code is enabled for logon, The Zhengfang educational administration system can change the logon page address to bypass the verification code, so as to write a script to brute force crack the jwc01 password, or scan weak passwords in the student ID segment to steal student data.
By default, you need to enter the verification code. After changing default2.aspx in the address bar to defa3.3.aspx (or default5.aspx), you can directly log on without the Verification Code request.
After a wrong password is entered, a Password error prompt is displayed: you can log on successfully after entering the correct password:
This vulnerability allows you to easily scan student information or crack passwords by using weak passwords.
Solution:
After the verification code function is enabled, the verification code is added to the defa3.3.aspx (or default5.aspx) requests.