详细说明:
control/user.php function dogetpass(){ ...... }elseif(isset($this->post['verifystring'])){ $uid=$this->post['uid']; $encryptstring=$this->post['verifystring']; $idstring=$_ENV['user']->get_idstring_by_uid($uid,$this->time); if($idstring==$encryptstring){ //没考虑到提交为空与查询返回为空的情况,一个逻辑错误 $newpass = $this->post['password']; $renewpass = $this->post['repassword']; $error=$_ENV['user']->checkpassword($newpass,$renewpass); if($error=='OK'){ //eval($this->plugin["ucenter"]["hooks"]["getpass"]); UC_OPEN && $msg=$_ENV['ucenter']->getpass($uid,$newpass); $_ENV['user']->update_field('password',md5($newpass),$uid); $_ENV['user']->update_getpass($uid); $this->message($this->view->lang['resetPassSucess'],'index.php?user-login',0); }else{ $this->message($error,'BACK',0); } }else{ $this->message($this->view->lang['resetPassMessage'], WIKI_URL ,0); } } function get_idstring_by_uid($uid,$time){ //取验证码 return $this->db->result_first("SELECT code FROM ".DB_TABLEPRE."activation WHERE uid=$uid AND available=1 AND type=1 AND time>($time-3*24*3600) ORDER BY time DESC"); }
漏洞证明:
http://wiki.somesite.com/index.php?user-getpass-用户id
正常情况应该是这样,user-getpass-1-xxx,但是因为逻辑问题,可以绕过去。
这种情况下表单内verifystring变量为空,直接输入两次新密码就重置了。
其实,这里还有个注射的,取验证码的时候。。。
修复方案:
逻辑问题,考虑一下检测码为空,并且数据库内没有该用户重置记录的情况。
临时解决方案:
}elseif(isset($this->post[‘verifystring’])){
$uid=$this->post[‘uid’];
$encryptstring=$this->post[‘verifystring’];
$idstring=$_ENV[‘user’]->get_idstring_by_uid($uid,$this->time);
/* 判断一下空的情况 */
if(empty($encryptstring) || empty($idstring)){
$this->message($error,’BACK’,0);
}
评论关闭。