Kaiyuan travel channel design defect causes reset of User Password

Kaiyuan travel channel design defect causes reset of User Password

If the previous vulnerability passes, it would be easier to reset the password.

The design defect of the website is that the password reset link is a fixed value, no matter how many reset connections are sent to the reset link, the mailbox + fixed number base64 encoding. You can use either of the following methods: 1. You know the email address and id, or 2. If the previous vulnerability passes, the background contains the user email address and id.

Reset the connection, for example:

For example, the [email protected] password is 111111.

Reset connection to: http://www.kaiyuan.eu /?

Go = register & mod = setpass & email = [email protected] & id = 91670

Encoded:

Http://www.kaiyuan.eu /?

Operator =

But before resetting? The following string is url encoded, mainly = encoding, otherwise the page will not be reset.

The final reset connection is:

Http://www.kaiyuan.eu /?

California % 3d % 3d

Reset successful
 

Method 1. Do not know the id

Because the mailbox knows, the id cannot be directly known, and the id is fixed and can be obtained through brute-force cracking. Each user will have one at registration, and the initial test id will be cracked from 1-149800 without restrictions, the correct result is only a matter of time.
 

Cracked successfully,
 

Method 2: In the previous vulnerability, the leaked background can obtain the user's email address and id.
 

Here get the user mailbox and id, refer to above get the user reset connection http://www.kaiyuan.eu /? California % 3d
 

 

Solution:

Enhanced verification