Ecshop one verification code bypass logic Vulnerability
A logic vulnerability causes Bypassing
Although the verification code is encrypted, there are still some logic problems.
The problem lies in
.. \ Shortdes \ cls_captcha.php
Through the verification function, we can see that the direct return does not process the verification failure.
Function check_word ($ word) {$ recorded = isset ($ _ SESSION [$ this-> session_word])? Base64_decode ($ _ SESSION [$ this-> session_word]): ''; $ given = $ this-> encrypts_word (strtoupper ($ word )); // MD5 encryption processing return (preg_match ("/$ given/", $ recorded); // verification rule}
That is to say, if the verification code SESSION is not left blank when the login fails, you can try to crack it repeatedly in this request.
The following code does not handle verification errors.
.. \ Ecshop \ admin \ privilege. php
If (intval ($ _ CFG ['captcha ']) & CAPTCHA_ADMIN) {include_once (ROOT_PATH. 'shortdes/cls_captcha.php ');/* check whether the verification code is correct */$ validator = new captcha (); if (! Empty ($ _ POST ['captcha ']) &! $ Validator-> check_word ($ _ POST ['captcha ']) {sys_msg ($ _ LANG ['captcha _ error'], 1 );}} $ _ POST ['username'] = isset ($ _ POST ['username'])? Trim ($ _ POST ['username']): ''; $ _ POST ['Password'] = isset ($ _ POST ['Password'])? Trim ($ _ POST ['Password']): ''; $ SQL =" SELECT 'EC _ salt 'FROM ". $ ecs-> table ('admin _ user '). "WHERE user_name = '". $ _ POST ['username']. "'"; echo $ SQL. "<br/>"; $ ec_salt = $ db-> getOne ($ SQL); if (! Empty ($ ec_salt) {/* check whether the password is correct */$ SQL = "SELECT user_id, user_name, password, last_login, action_list, last_login, suppliers_id, ec_salt ". "FROM ". $ ecs-> table ('admin _ user '). "WHERE user_name = '". $ _ POST ['username']. "'AND password = '". md5 (md5 ($ _ POST ['Password']). $ ec_salt ). "'";} else {/* check whether the password is correct */$ SQL = "SELECT user_id, user_name, password, last_login, action_list, last_login, suppliers_id, ec_salt ". "FROM ". $ ecs-> table ('admin _ user '). "WHERE user_name = '". $ _ POST ['username']. "'AND password = '". md5 ($ _ POST ['Password']). "'" ;}$ row = $ db-> getRow ($ SQL); if ($ row ){....}
Solution:
Through the above code, we can see that the verification code session is not empty, and the session (null) will be used for each login.