YouYaX Forum front-end account logon and repair

The/ext/mobile/login. php logon page is as follows:

If (isset ($ _ POST ['sub']) {include ('.. /.. /ext_public/database_mobile.php '); mysql_query ("set names 'utf8'"); $ SQL = "select * from ". $ config ['db _ prefix']. "user where binary user = '". addslashes ($ _ POST ['user']). "'and binary pass = '". md5 (addslashes ($ _ POST ['pass']). "'and status = 1 and complete = 0"; $ user = $ _ POST ['user']; $ result = mysql_query ($ SQL ); $ num = mysql_num_rows ($ result); if ($ num = 1) {$ _ SESSION ['youyax _ data'] = 1; $ _ SESSION ['youyax _ user'] = $ user; $ _ SESSION ['youyax _ bz'] = 1; @ setcookie ('youyax _ data', 1, time () + (60*60*24*30), "/"); @ setcookie ('youyax _ user', $ user, time () + (60*60*24*30), "/"); @ setcookie ('youyax _ bz', 1, time () + (60*60*24*30), "/"); echo '<script> window. location. href = "'. $ config ['SITE']. '"; </script>'; exit;} else {$ _ SESSION ['youyax _ data'] = 0; echo '<script> alert ("input error or not activated"); </script> ';}}

 

If the account password is correct, the session youyax_data = 1 youyax_user = user youyax_bz = 1 is granted. However, this session can be constructed by itself. See the code for/Lib/IndexAction. php.

public function index()    {        header("Content-Type:text/html; charset=utf-8");        if (empty($_SESSION['youyax_user']) && !stristr($_SERVER['HTTP_USER_AGENT'], 'android') && !stristr($_SERVER['HTTP_USER_AGENT'], 'iphone') && !stristr($_SERVER['HTTP_USER_AGENT'], 'ipad')) {            $cache = new Cache(20);        }        if(isset($_COOKIE['youyax_data']) && isset($_COOKIE['youyax_user']) && isset($_COOKIE['youyax_bz'])){         $_SESSION['youyax_data'] = $_COOKIE['youyax_data'];         $_SESSION['youyax_user'] = $_COOKIE['youyax_user'];         $_SESSION['youyax_bz'] = $_COOKIE['youyax_bz'];    }        if ($_SESSION['youyax_data'] == 1) {            $bz   = $_SESSION['youyax_bz'];            $user = $_SESSION['youyax_user'];            if ($bz != 1)                $bz = 0;            if ($bz == 0) {                $_SESSION['youyax_user'] = "";                $user                    = "";                $_SESSION['youyax_data'] = 0;            }        } else {            $_SESSION['youyax_user'] = "";            $_SESSION['youyax_bz']   = "";            $bz                      = 0;            $user                    = "";        }        $this->assign('bz', $bz)->assign('user', $user);

 

Obviously. Check the cookie and then assign the cookie value to the session. The session will become meaningless .. Construct a Cookie: youyax_data = 1; youyax_user = username; youyax_bz = 1. You can log on to any user at the front-end. This vulnerability is fatal for a bbs. Solution:Remove unnecessary