After ThinkSNS enables email verification, it is insecure to modify the connection sent by the account email address, which can be forged.
Latest Version 2.8
Code Location:
Thinksns \ addons \ services \ ValidationService. class. php
$ Validation_code = $ this->__ generateCode ($ vid );
$ Target_url = $ target_url. "& validationid = $ vid & validationcode = $ validation_code ";
$ Res = model ('validation ')-> where ("'validation _ id' = $ vid")-> setField (array ('code ', 'target _ url'), array ($ validation_code, $ target_url ));
If ($ res ){
Return $ target_url;
} Else {
Return false;
}
Private function _ generateCode ($ id ){
Return md5 ($ id. 'thinksns # ^! @ * # % ^! @#');
}
Obviously, this validationid and validationcode can be easily forged. As an open-source program, this should be configured during constant installation, but they do not
Let's talk about the use
Add a (User ID is assumed to be 1) the user will receive a verification connection after modifying the Security mailbox.
As follows:
Http://test.thinksns.com/index.php? App = home & mod = Public & act = doModifyEmail & validationid = 1 & validationcode = 304dbee8afac9f91bc211009ce9de3e8
Validationcode is equal to md5 ("1 thinksns # ^! @ * # % ^! @#")
Therefore, you can bypass all verification tasks in this way.
Fortunately, the data is not given a low level of security through the parameter reception.
Solution:
Use a custom constant to replace thinksns # ^! @ * # % ^! @#
Or play it freely!