Fine fast CMS news content management system vulnerability-vulnerability warning-the black bar safety net

Author: mind original: http://t00ls.net/thread-14046-1-1.html
First of all I’m just a rookie, even the PHP basic syntax is also not too understand. The following is my personal analysis of the results, as there are errors, please forgive me.
The main problem in retrieve password: member. php? action=getpw。
case ‘getpw’:
$showsubmenu = 0;
$log_status && showmsg($lang[‘login_already’], $forward);
if (isset($_POST[‘submit’])) {
$msg = $_POST[‘hash’] == $ghash ? ": $lang[‘hash_error’];
if ($set_captcha[1]) {
$msg or check_captcha($_POST[‘captcha’]) or $msg = $lang[‘checkcode_error’];
}
$username = trim($_POST[‘username’]);
$email = trim($_POST[‘email’]);
if (! ($member -> checkuser($username, 0) && $member -> checkemail($email, 0))) { // 0 means not detecting the presence of
showmsg($member -> info);
}
$r = $member -> get(0, "userid,email,question,answer`, “username=‘$username’”);
if ($r) {
$answer = shtmlspecialchars($_POST[‘answer’]);
if ($r[‘email’] != $email) showmsg($lang[‘email_name_error’]);
elseif ($r[‘question’] && $answer != $r[‘answer’]) showmsg($lang[‘answer_error’]);
else {
$newpwd = substr(gethash($TIME . $IP), 6, 1 2);
$member -> modipwd($r[‘userid’], ", $newpwd, $newpwd, 1) or showmg($member -> info);
include JXCMS_ROOT . ‘include/mail.func.php’;
$mail_subject = &$lang[‘getpw_emailtitle’];
$mail_content = sprintf($lang[‘mail_body’], $username, $lang[‘your_new_password’] . $newpwd, $set_ceomail, $set_contact);
if ($set_sendtype == ‘mail’) {
basic_sendmail($email, $set_ceomail, $set_name, $mail_subject, $mail_content, ‘html’);
} elseif ($set_sendtype == ‘nmail’) {
nmail($email, $set_ceomail, $set_name, $mail_subject, $mail_content, ‘html’);
} elseif ($set_sendtype == ‘smtp’) {
smtp_sendmail($email, $set_ceomail, $set_name, $mail_subject, $mail_content, ‘html’);
}
showmsg($lang[‘getpw_sucess’], ‘login.php’, 3 0 0 0);
}
} else showmsg($lang[‘email_name_error’]);
}
include tpl(‘getpw’);
break;

Mainly:“$newpwd = substr(gethash($TIME . $IP), 6, 1 2);”in public function file in the $TIME Definition is the time () and$IP customization is the current client IP.
gethash: the
function gethash($str) {
$str = md5($str . $GLOBALS[‘set_sid’]);
$tmp = str_split($str, 1);
$tmp = array_unique($tmp);
return implode (", $tmp);
}

The new code is thus generated.“$ GLOBALS[‘set_sid’]”default is empty(here is one of the basic conditions, if the administrator in the background to fill in the security code, then no way. to).
This app has a guestbook, just leave a statement you can display the time a message time, and then turn their computer time into the server before the time of a few seconds. Then in the local to build this program, you can be fictitious“$newpwd = substr(gethash($TIME . $IP), 6, 1 2);” The.
Then“echo $newpwd”is the modified password. Then the problem in time, can be from a few seconds to keep trying to the last few seconds, and then one by one try password.
“admin”the default Email is [email protected] that 8 0% of people are not going to modify, this is a prerequisite for it!
This app is the biggest design mistake is that the Admin Account and the member account with the put in“member”of this table.
May research complex point, but local erection test is successful, haven’t tried online other sites. Overall very tasteless, you need the default admin mailbox is not modified and the default security code didn’t write it.