Due to a logical defect in Pacific Insurance, the system can access any user account in seconds (the plaintext password of the user can be obtained directly)

(Password modification is not a vulnerability. You can directly access any account !!!) If you reference the 7th floor: It is said that you are afraid of giving too much rank to attract attention. If you get a hole, you are not afraid of giving it too low to cause public anger and causing it to be dug? "Security is a whole. to ensure security, it is not how powerful it is, but where it is actually weak." -- Jianxin
After registration, the activation email will jump to a successful activation page, and then automatically jump to the member center (LOGIN status ). The following http://member.cpic.com.cn/ucf/register/regActiveOk page? Theme = new & email = email Address & msg = activeSuccess 5 seconds later, it will automatically jump to the member center. There is a logical defect here. to access another user's account, you only need to know the email address. For example, if you have registered an account, you can use this link (after opening it, you have to wait for the automatic jump, can't click manually) enter my account: http://member.cpic.com.cn/ucf/register/regActiveOk? Theme = new & email = smtp_admin@yeah.net & msg = activeSuccess proof of vulnerability: http://member.cpic.com.cn/ucf/register/regActiveOk? Theme = new & email = smtp_admin@yeah.net & msg = activeSuccess in this process there are several ajax login requests initiated by one of the requests highlighted blind !!! Plaintext Password !!!!
 Solution:

Fix logical problems