Password Reset Vulnerability for any user on a ZTE website (typical design defect cases)

Password Reset Vulnerability for any user on a ZTE website (typical design defect cases)

Password Reset Vulnerability for any user on a ZTE website

Detailed description:

Password Reset Vulnerability for any user on a ZTE website

Proof of vulnerability:

1. The ZTE application star website submitted earlier

Code Region

http://www.appstar.com.cn

And you can change the recharge card with points on it.

Code Region

WooYun: any gift exchange vulnerability in credit mall recharge cards of a website of ZTE



2. There is also a password reset vulnerability for any user. The token used to retrieve the password link is not random enough. It seems to be the current time. You can retrieve the user's password without having to check the retrieval link in your mailbox. After resetting the password of another user, you can use others' points in the credit mall for a gift.

3. First, use two accounts to retrieve the password at the same time for comparison. Open two windows and click "retrieve password" for both accounts:









4. Go to your mailbox and check the password retrieval link:





The random token only differs by 4. I have a DOT card here. If the network is good, it should only differ by 1-2. The token is easily guessed.

5. The next step is to use the constructed link to retrieve the password:







6. You can find the registered email address in the registration function. If you have registered an email address, a Red Cross prompt is displayed, indicating that the email address has been registered:





Not registered





Registered







Solution:

Enhance random token