Arbitrary ECSHOP Front-End User Login

Arbitrary ECSHOP Front-End User Login
Arbitrary user logon to the website due to code design defects. File: flow. php starts at line 1

Elseif ($ _ REQUEST ['step'] = 'login') {include_once ('AGES /'. $ _ CFG ['lang ']. '/user. php ');/** User Login registration */if ($ _ SERVER ['request _ method'] = 'get ')..... else {include_once ('includes/lib_passport.php '); if (! Empty ($ _ POST ['ac']) & $ _ POST ['ac'] = 'signin ') {$ captcha = intval ($ _ CFG ['captcha ']); if ($ captcha & CAPTCHA_LOGIN )&&(! ($ Captcha & CAPTCHA_LOGIN_FAIL) | ($ captcha & CAPTCHA_LOGIN_FAIL) & $ _ SESSION ['login _ fail ']> 2) & gd_version ()> 0) {if (empty ($ _ POST ['captcha ']) {show_message ($ _ LANG ['invalid _ captcha']);} /* Check the Verification Code */include_once ('regiondes/cls_captcha.php '); $ validator = new captcha (); $ validator-> session_word = 'captcha _ login'; if (! $ Validator-> check_word ($ _ POST ['captcha ']) {show_message ($ _ LANG ['invalid _ captcha']);} if ($ user-> login ($ _ POST ['username'], $ _ POST ['Password'], isset ($ _ POST ['remember']) {.....}

 

The above code performs the login operation $ user-> login ($ _ POST ['username'], $ _ POST ['Password'], the isset ($ _ POST ['member']) login method is as follows:

(Function login ($ username, $ password, $ remember = null) {if ($ this-> check_user ($ username, $ password)> 0) {if ($ this-> need_sync) {$ this-> sync ($ username, $ password);} $ this-> set_session ($ username ); $ this-> set_cookie ($ username, $ remember); return true;} else {return false;} function check_user ($ username, $ password = null) {$ post_username = $ username;/* if no password is defined, check the username */if ($ password = null) {$ SQL = "SELECT ". $ this-> field_id. "FROM ". $ this-> table ($ this-> user_table ). "WHERE ". $ this-> field_name. "= '". $ post_username. "'"; return $ this-> db-> getOne ($ SQL);} else {$ SQL = "SELECT ". $ this-> field_id. "FROM ". $ this-> table ($ this-> user_table ). "WHERE ". $ this-> field_name. "= '". $ post_username. "'AND ". $ this-> field_pass. "= '". $ this-> compile_password (array ('Password' => $ password )). "'"; return $ this-> db-> getOne ($ SQL );}}

 

The check_user method is finally executed for the login operation. When the user password is null, only the user name is determined. In flow. php, the password is not determined or initialized. You can log on with an account only. Url:./flow. php? Step = login POST: act = signin & username = xxxx & captcha = yyyyy captcha is a verification code, and sometimes it is not required.

Solution:
Just initialize the password.