Arbitrary User Password modification vulnerability on the official website of diamond bird

Arbitrary User Password modification vulnerability on the official website of diamond bird

The vulnerability is detected in the personal center-Account Security mobile phone modification function. When modifying a mobile phone, you only need to change BriddMember_uid in the cookie to the id of any user to modify the mobile phone number of the account, then retrieve the password through the phone number to modify the password of any user, in addition to the http://www.zbird.com/pointgift/memberinfo to obtain user information in the interface to modify the same cookie value can also read the user nickname and points data.

The ZBIRDMOBILE_CARDNO value for cookie modification in http://m.zbird.com/member/ mobile edition can read any user's account information including order, points, etc.



1. First, modify the password of any user:

Register an account first, and then go to the personal Center account security and click Modify mobile phone number,

Enter the new mobile phone number
 

If you enter a registered mobile phone number, a prompt is displayed. If you change the returned value of the packet to 200, the verification can be bypassed. That is to say, the same mobile phone number can be bound to multiple accounts.


 

Modify the cookie value BriddMember_uid to any user ID. After you click submit, the user's mobile phone number will be changed to our own number. Then, you can use the mobile phone number to retrieve the password to log on.



Ii. Arbitrary user credit and nickname Viewing Vulnerability

Api interface http://www.zbird.com/pointgift/memberinfo

Modify the BriddMember_uid of the cookie.
 

 

3. User Information vulnerability in mobile edition

Log on to the mobile http://m.zbird.com/modify the ZBIRDMOBILE_CARDNO value to view any user order, points information.
 

 

 

1. modify any User Password

I only changed the user ID: 1's mobile phone number and password, but nothing else
 

 

Ii. Arbitrary user credit and nickname Viewing Vulnerability
 

 

3. User Information vulnerability in mobile edition
 

 

 

 

Solution:

Verify cookie Validity



Note: The user's mobile phone number and password have only been changed to the account whose uid is 1, but others have not been changed. Reset the mobile phone number and password of the account and fix the vulnerability.