VULHUB ™

### 简要描述： PHPYUN设计缺陷验证码形同虚设 ### 详细说明： 所有地方的验证码 验证后都未进行过期操作。导致验证码形同虚设 以找回密码为例 model/forgetpw.class.php ``` function sendpw_action() { if(md5($_POST["authcode"])!=$_SESSION['authcode']){ $this->obj->ACT_msg("index.php?M=forgetpw","验证码错误","2"); } $pass =array("A","B","C","D","E","F","G","H","I","J","K","L","M","N","O","P","Q","R","S","T","U","V","W","X","Y","Z","a","b","c","d","e","f","g","h","i","g","k","l","m","n","o","p","q","r","s","t","u","v","w","x","w","z","1","2","3","4","5","6","7","8","9","0"); $len = rand(8,12); for($i=0;$i<$len;$i++) { $k = rand(0,36); $password.=$pass[$k]; } $info = $this->obj->DB_select_once("member","`username`='".$_POST["username"]."'"); if(is_array($info)) { if($this->config['sy_uc_type']=="uc_center" &&$info['name_repeat']!="1") { $this->obj->uc_open(); uc_user_edit($info['username'], "", $password, $info['email'],"0"); }else{ $salt = substr(uniqid(rand()), -6); $pass2 = md5(md5($password).$salt); $value="`password`='".$pass2."',`salt`='".$salt."'";...

### 简要描述： PHPYUN设计缺陷验证码形同虚设 ### 详细说明： 所有地方的验证码 验证后都未进行过期操作。导致验证码形同虚设 以找回密码为例 model/forgetpw.class.php ``` function sendpw_action() { if(md5($_POST["authcode"])!=$_SESSION['authcode']){ $this->obj->ACT_msg("index.php?M=forgetpw","验证码错误","2"); } $pass =array("A","B","C","D","E","F","G","H","I","J","K","L","M","N","O","P","Q","R","S","T","U","V","W","X","Y","Z","a","b","c","d","e","f","g","h","i","g","k","l","m","n","o","p","q","r","s","t","u","v","w","x","w","z","1","2","3","4","5","6","7","8","9","0"); $len = rand(8,12); for($i=0;$i<$len;$i++) { $k = rand(0,36); $password.=$pass[$k]; } $info = $this->obj->DB_select_once("member","`username`='".$_POST["username"]."'"); if(is_array($info)) { if($this->config['sy_uc_type']=="uc_center" &&$info['name_repeat']!="1") { $this->obj->uc_open(); uc_user_edit($info['username'], "", $password, $info['email'],"0"); }else{ $salt = substr(uniqid(rand()), -6); $pass2 = md5(md5($password).$salt); $value="`password`='".$pass2."',`salt`='".$salt."'"; $this->obj->DB_update_all("member",$value,"`username`='".$_POST["username"]."'"); } $this->send_msg_email(array("username"=>$_POST["username"],"password"=>$password,"email"=>$info['email'],"moblie"=>$info['moblie'],"type"=>"getpass")); $this->obj->ACT_msg("index.php?M=forgetpw", $msg = "新密码已发送到您的邮箱，请查收后登录系统修改密码！", $st = 2, $tm = 3); }else{ $this->obj->ACT_msg("index.php?M=login", $msg = "对不起！没有该用户！", $st = 2, $tm = 3); } } ``` 这里验证通过和输入错误后都没有unset session 导致之前的验证码不会过期可以重复使用。 从而只要得知用户邮箱 即可批量帮别人修改密码！ ### 漏洞证明： 我这里就不用Bp跑了！ 输入邮箱 就可以重置用户密码，怎么都觉得不是很妥，万一用户是假邮箱注册的 岂不是这么一搞密码就永远不知道了啊？