Phpcms v9.5.8-Design defects can reset any user password in the foreground

Verify. Reference vulnerability: http://wooyun.jozxing.cc/static/bugs/wooyun-2015-0152291.html

Vulnerability appears on/phpcms/modules/member/index.php 第1687-1756 line

Public_forget_password_username () function

Public Function Public_forget_password_username () {$step = intval ($_post[' step '); $step = max ($step, 1); $this->_ Session_Start (); if (Isset ($_post[' dosubmit ') && $step ==2) {//processing the submission request, the mobile number is the quasi if ($_session[' code ')! = Strtolower ($_post[' code ')) {showmessage (L (' Code_error '), http_referer);} $username = safe_replace ($_post[' username '); $r = $this->db->get_one (Array (' username ' = = $username), ' UserID , email '), if ($r [' email ']== ') {$_session[' userid '] = '; $_session[' code '] = '; ShowMessage ("The account does not have a mobile phone number, please choose another way to get it back!) ");} else {$_session[' userid '] = $r [' userid '];$_session[' email '] = $r [' email '];} $email _arr = explode (' @ ', $r [' email ']), include template (' member ', ' Forget_password_username ');} ElseIf (Isset ($_post[' dosubmit ') && $step ==3) {$sms _report_db = Pc_base::load_model (' Sms_report_model '); $ mobile_verify = $_post[' mobile_verify ']; $email = $_session[' email '];if ($email) {if (!preg_match ('/^ ' ([a-z0-9_]+) @ ([ a-z0-9_]+). ([a-z]{2,6}) $/', $email)) exit (' Check email error '); if ($_session[' EMC_times ']== ' | | $_session[' Emc_times ']<=0) {showmessage ("more than 5 verification times, verification code is invalid, please re-get the email verification code! ", http_referer,3000);} $_session[' emc_times ' = $_session[' Emc_times ']-1;if ($_session[' EMC ']!= ' && $_post[' email_verify ']==$_ session[' EMC ']) {$userid = $_session[' userid '); $updateinfo = Array (); $password = random (8, "23456789abcdefghkmnrstwxy" $encrypt = random (6, "23456789abcdefghkmnrstwxyABCDEFGHKMNRSTWXY"), $updateinfo [' encrypt '] = $encrypt; $updateinfo [ ' Password ' = password ($password, $encrypt), $this->db->update ($updateinfo, Array (' userid ' = $userid)); $rs = $this->db->get_one (' userid ' = $userid), ' Phpssouid '), if (Pc_base::load_config (' System ', ' Phpsso ')) { Initialize Phpsso$this->_init_phpsso (); $this->client->ps_member_edit (', ', ', ', $password, $rs [' Phpssouid '], $ Encrypt);} $_session[' email ' = '; $_session[' userid '] = '; $_session[' EMC '] = '; $_session[' code '] = ';p c_base::load_sys_func (' Mail '); SendMail ($email, ' Password reset notification ', "you are in". Date (' y-m-d h:i:s '). " The password retrieval function, reset the site password. "); INclude template (' member ', ' Forget_password_username '); exit;} else {showmessage ("Captcha Error! Please get it again! ", http_referer,3000);}} else {showmessage ("illegal request! ");}} else {include template (' member ', ' Forget_password_username ');}}

Went through the first step:

$step = intval ($_post[' step ');
$step = Max ($step, 1);
$this->_session_start ();

The _session_start () is turned on and then the value of the session is taken from Phpcms_session,

Then, in the second step, verify that the account is not bound to the mailbox. Then return to this page. Click Get mailbox Check code.

This is the URL at this time.

/index.php?m=member&c=index&a=public_get_email_verify&session_code=ftrz&random= 0.08188270693514244

Executes the public_get_email_verify () function.

    Public Function public_get_email_verify () {        pc_base::load_sys_func (' Mail ');        $this->_session_start ();        $code = $_session[' EMC '] = random (8, "23456789abcdefghkmnrstwxy");        $_session[' Emc_times ']=5;        $message = ' Your Verification code is: '. $code;        SendMail ($_session[' email '), ' Email back password verification ', $message);        echo ' 1 ';    }}

Then randomly generate the value of $_session[' EMC ', use SendMail to send mail, after the third step to verify the verification code.

The value of $_session[' EMC ' is present in the SESSION, which is the value sent to the message. For the session, as long as the browser does not close, the session value will always exist locally, unless it expires.

Then we go back to the first step and enter another account to reset, when the $_session[' EMC ' value is the first one.

Then do not go click Get Verification code, come directly to

ElseIf (Isset ($_post[' dosubmit ') && $step ==3) {

Enter the $_session[' EMC ' value for the first account, then the third-step verification,

At this time the $_session[' EMC ' value in the browser is known, so we can also enter this if, and then reset the password for the second account.

This vulnerability was fixed in phpcmsv9.6.0, and the fix is to add two sentences to the first step of querying the $username for a bound mailbox, emptying the value of $_session[' EMC ', and ensuring that the userid in the SESSION is reset when the current account Email is specified by the user.

Phpcms v9.5.8-Design defects can reset any user password in the foreground