The/ext/mobile/login. php logon page is as follows:
If (isset ($ _ POST ['sub']) {include ('.. /.. /ext_public/database_mobile.php '); mysql_query ("set names 'utf8'"); $ SQL = "select * from ". $ config ['db _ prefix']. "user where binary user = '". addslashes ($ _ POST ['user']). "'and binary pass = '". md5 (addslashes ($ _ POST ['pass']). "'and status = 1 and complete = 0"; $ user = $ _ POST ['user']; $ result = mysql_query ($ SQL ); $ num = mysql_num_rows ($ result); if ($ num = 1) {$ _ SESSION ['youyax _ data'] = 1; $ _ SESSION ['youyax _ user'] = $ user; $ _ SESSION ['youyax _ bz'] = 1; @ setcookie ('youyax _ data', 1, time () + (60*60*24*30), "/"); @ setcookie ('youyax _ user', $ user, time () + (60*60*24*30), "/"); @ setcookie ('youyax _ bz', 1, time () + (60*60*24*30), "/"); echo '<script> window. location. href = "'. $ config ['SITE']. '"; </script>'; exit;} else {$ _ SESSION ['youyax _ data'] = 0; echo '<script> alert ("input error or not activated"); </script> ';}}
If the account password is correct, the session youyax_data = 1 youyax_user = user youyax_bz = 1 is granted. However, this session can be constructed by itself. See the code for/Lib/IndexAction. php.
public function index() { header("Content-Type:text/html; charset=utf-8"); if (empty($_SESSION['youyax_user']) && !stristr($_SERVER['HTTP_USER_AGENT'], 'android') && !stristr($_SERVER['HTTP_USER_AGENT'], 'iphone') && !stristr($_SERVER['HTTP_USER_AGENT'], 'ipad')) { $cache = new Cache(20); } if(isset($_COOKIE['youyax_data']) && isset($_COOKIE['youyax_user']) && isset($_COOKIE['youyax_bz'])){ $_SESSION['youyax_data'] = $_COOKIE['youyax_data']; $_SESSION['youyax_user'] = $_COOKIE['youyax_user']; $_SESSION['youyax_bz'] = $_COOKIE['youyax_bz']; } if ($_SESSION['youyax_data'] == 1) { $bz = $_SESSION['youyax_bz']; $user = $_SESSION['youyax_user']; if ($bz != 1) $bz = 0; if ($bz == 0) { $_SESSION['youyax_user'] = ""; $user = ""; $_SESSION['youyax_data'] = 0; } } else { $_SESSION['youyax_user'] = ""; $_SESSION['youyax_bz'] = ""; $bz = 0; $user = ""; } $this->assign('bz', $bz)->assign('user', $user);
Obviously. Check the cookie and then assign the cookie value to the session. The session will become meaningless .. Construct a Cookie: youyax_data = 1; youyax_user = username; youyax_bz = 1. You can log on to any user at the front-end. This vulnerability is fatal for a bbs.
Solution:Remove unnecessary