Discussion on a bug in the LB Forum

Discussion on a bug in the LB Forum

(Author: mikespook | Release Date: | views: 406)

Keywords: vulnerability, forum, LB

There are many people using leiao forum on the Internet. We generally think that leiao forum is more convenient to use and has many plug-ins. However, older gamers know that this forum has many vulnerabilities. I am not interested in CGI and I am not interested in Forum permissions. What I want to talk about here is what a programmer should pay attention. 　　 About bugs I don't know if someone has noticed this bug. Today, when I was writing a program, I suddenly remembered the script on the s8s8 Forum (using the leiao Forum program. If you are a login user when replying to the post, enter the user name and password in the "Reply to topic quickly:" area :". Your username and password are displayed here. Of course, the password is ***. Is this a bug? Now, you open the source file of the page. And search "name =" password "". You will find a field such as "<input type = password name =" password "value =" 123456 "onmouseover = This. Focus () onfocus = This. Select ()> ". What is this? This is the password box, and the password is clearly displayed in "value =" 123456 "" in value "". Now let's take a look at how we get others' passwords and usernames. Search for "s8s8" in the IE buffer folder and many files such as "topic [1]" and "topic [2]" will be displayed. Open it in notepad, search "name =" membername "", find the username in value, and then search "name =" password "to find the password in value. (In fact, you do not need to search twice here, just for convenience .) Now, you can impersonate the domain name. This method, no matter whether you log out. As long as you log on, the pages you have accessed will be cached in the IE buffer folder. Unless you clear the buffer folder, the user name and password will be exposed! How many of my friends have finished surfing the Internet? Do you remember to clear the buffer folder? Discussion I don't understand what it means to set the username and password for the record forum. I have not read the complete leiao code. However, I feel like I have to do this. I have read a lot of PHP forum and ASP Forum Code abroad. I did not see any forum where I put the user name and password so generously on the page that others can view. Another example is the verification code during login. The verification code is just something that looks good and makes everyone feel safer. If you really want to break the password, which would be so troublesome? In this way, you don't even need to connect to the Internet. You just need to look at the buffer folder to get started. Summary In fact, this bug is not available only on the leiao forum. Many programs have this thing. (Especially Chinese programs, it is unclear who copied them .) I personally think that as a programmer, we should do something practical. For flashy things, it's good to play around and never be a baby. Otherwise, the image is superfluous.