Lefeng's user authentication system has a logic vulnerability that allows you to modify any user password.
The number of vulnerabilities is less than 15, but the difficulty, scope of impact, reuse, and other impacts are considered here, and the user authentication system is attacked. Therefore, I feel a great threat.
This cannot be described in too much detail ,,
1. password retrieval: There are two methods: mail and phone, but the verification code is 6 digits (email), which is valid for 24 hours. It can be violent.
2. The verification code after use is not destroyed and can be used again within 24 hours. This is very dangerous. As long as you retrieve the password, it can be modified within 24 hours.
3. In combination with 1, 2, write a program and run it. You can find the link that uses the password retrieval within 24 hours and reset the password for them.
There is a problem here, because changing the password does not know who it is, so it may be difficult to change the password of multiple URLs during fixed-point attacks. However, give it to the program or a small dish.
Proof of vulnerability:
1. The program runs to a www.2cto.com
2,
Solution:
1. Reduce the verification code Validity Period
2. Destroy after use
3. It is not difficult to add a complex verification code program,
4. Limit the single ip address submission frequency of this function
Author: unic02n