Arbitrary user password reset by Dongfang fortune network, user information leakage

1. change the password of any user. 1.1 The system supports password retrieval for the user name, email address, and mobile phone number. 1.2 you can use the password retrieval function to retrieve any user information; 1.3 The system will send a 6-digit verification code to the corresponding mobile phone; 1.4 enter a 6-digit verification code at will to submit and capture the package; POST/AjIsExtPhone. emUser HTTP/1.1 Host: passport. eastmoney. comUser-Agent: Mozilla/5.0 (Windows NT 6.1; rv: 19.0) Gecko/20100101 Firefox/19.0 Accept: */* Accept-Language: zh-cn, zh; q = 0.8, en-us; q = 0.5, en; q = 0.3Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencoded; charset = UTF-8X-Requested-With: XMLHttpRequestReferer: 000046 Cookie: input_activecode = 411504 & hide_phone = 136 xxxxxxx 1.5 sets the input_activecode parameter as the brute-force cracking parameter, here we will demonstrate how to set a smaller 6-digit range containing the real verification code. We can determine the real verification code based on the length of the response byte; 1.6 after obtaining the real verification code, return to the Reset page, but the verification fails. We re-use the phone to retrieve the password. After receiving the text message, we found that the verification code remains unchanged. Therefore, we successfully reset the user password using the cracked verification code. 2. user information leakage. Use the password reset function to open the browser F12;
 Solution:

Set the verification code validity period properly to limit the number of verification errors!