VULHUB ™

### 简要描述： shopex在找回密码的地方存在一些逻辑设计问题，导致可以预测新生成的密码，可能被用来攻击获取他人密码 ### 详细说明： 相关代码 /core/shop/controller/ctl.passport.php中： ``` function sendPSW(){ $this->begin($this->system->mkUrl('passport','lost')); $member=&$this->system->loadModel('member/member'); $data=$member->getMemberByUser($_POST['uname']); if(($data['pw_answer']!=$_POST['pw_answer']) || ($data['email']!=$_POST['email'])){ $this->end(false,__('问题回答错误或当前账户的邮箱填写错误'),$this->system->mkUrl('passport','lost')); } if( $data['member_id'] < 1 ){ $this->end(false,__('会员信息错误'),$this->system->mkUrl('passport','lost')); } $messenger = &$this->system->loadModel('system/messenger');echo microtime()."<br/>"; $passwd = substr(md5(print_r(microtime(),true)),0,6); ``` ### 漏洞证明： [<img src="https://images.seebug.org/upload/201109/13164334c190a9d871ac436e730ebc80b412fe69.jpg" alt="" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201109/13164334c190a9d871ac436e730ebc80b412fe69.jpg)

### 简要描述： shopex在找回密码的地方存在一些逻辑设计问题，导致可以预测新生成的密码，可能被用来攻击获取他人密码 ### 详细说明： 相关代码 /core/shop/controller/ctl.passport.php中： ``` function sendPSW(){ $this->begin($this->system->mkUrl('passport','lost')); $member=&$this->system->loadModel('member/member'); $data=$member->getMemberByUser($_POST['uname']); if(($data['pw_answer']!=$_POST['pw_answer']) || ($data['email']!=$_POST['email'])){ $this->end(false,__('问题回答错误或当前账户的邮箱填写错误'),$this->system->mkUrl('passport','lost')); } if( $data['member_id'] < 1 ){ $this->end(false,__('会员信息错误'),$this->system->mkUrl('passport','lost')); } $messenger = &$this->system->loadModel('system/messenger');echo microtime()."<br/>"; $passwd = substr(md5(print_r(microtime(),true)),0,6); ``` ### 漏洞证明： [<img src="https://images.seebug.org/upload/201109/13164334c190a9d871ac436e730ebc80b412fe69.jpg" alt="" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201109/13164334c190a9d871ac436e730ebc80b412fe69.jpg)