Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
myhack58佚名MYHACK58:62201128759
HistoryJan 03, 2011 - 12:00 a.m.

Analysis of the fine fast CMS vulnerability-vulnerability warning-the black bar safety net

2011-01-0300:00:00
佚名
www.myhack58.com
13
JSON

|

The following is my personal analysis of the results as there are errors please forgive me
The main problem in retrieve password
member. php? action=getpw
Look at the code
case ‘getpw’:
$showsubmenu = 0;
$log_status && showmsg($lang[‘login_already’], $forward);
if (isset($_POST[‘submit’])) {
$msg = $_POST[‘hash’] == $ghash ? ": $lang[‘hash_error’];
if ($set_captcha[1]) {
$msg or check_captcha($_POST[‘captcha’]) or $msg = $lang[‘checkcode_error’];
}
$username = trim($_POST[‘username’]);
$email = trim($_POST[‘email’]);
if (! ($member -> checkuser($username, 0) && $member -> checkemail($email, 0))) { // 0 means not detecting the presence of
showmsg($member -> info);
}
$r = $member -> get(0, "userid,email,question,answer`, “username=‘$username’”);
if ($r) {
$answer = shtmlspecialchars($_POST[‘answer’]);
if ($r[‘email’] != $email) showmsg($lang[‘email_name_error’]);
elseif ($r[‘question’] && $answer != $r[‘answer’]) showmsg($lang[‘answer_error’]);
else {
$newpwd = substr(gethash($TIME . $IP), 6, 1 2);
$member -> modipwd($r[‘userid’], ", $newpwd, $newpwd, 1) or showmg($member -> info);
include JXCMS_ROOT . ‘include/mail.func.php’;
$mail_subject = &$lang[‘getpw_emailtitle’];
$mail_content = sprintf($lang[‘mail_body’], $username, $lang[‘your_new_password’] . $newpwd, $set_ceomail, $set_contact);
if ($set_sendtype == ‘mail’) {
basic_sendmail($email, $set_ceomail, $set_name, $mail_subject, $mail_content, ‘html’);
} elseif ($set_sendtype == ‘nmail’) {
nmail($email, $set_ceomail, $set_name, $mail_subject, $mail_content, ‘html’);
} elseif ($set_sendtype == ‘smtp’) {
smtp_sendmail($email, $set_ceomail, $set_name, $mail_subject, $mail_content, ‘html’);
}
showmsg($lang[‘getpw_sucess’], ‘login.php’, 3 0 0 0);
}
} else showmsg($lang[‘email_name_error’]);
}
include tpl(‘getpw’);
break;
//Main is
$newpwd = substr(gethash($TIME . $IP), 6, 1 2);
In the common function file in the $TIME Definition is the time()
$IP customization is the current client IP
Look gethash

function gethash($str) {
$str = md5($str . $GLOBALS[‘set_sid’]);
$tmp = str_split($str, 1);
$tmp = array_unique($tmp);
return implode (", $tmp);
}

The new code is thus generated out of the
$GLOBALS[‘set_sid’] default is empty (here is one of the basic conditions if the administrator in the background to fill in the security code that it cannot.)
This app has a guestbook just leave a statement you can display the time a message time
Then turn your computer time into the server before the time of a few seconds
Then the local build this app can be fictional$newpwd = substr(gethash($TIME . $IP), 6, 1 2);
Then echo $newpwd is the modified password
Then the problem in time can be from a few seconds to keep trying to the last few seconds and then one by one try password.
the admin’s default EMAILL is[email protected] 8 0% of people are not going to modify the This is the prerequisite for it!

This app is the biggest design mistake is the Admin Account and the member account in the same place in the member of this table

May study was the complex, but local erection test successful not tried to Online other website

Overall very tasteless need the default admin mailbox is not modified and the default security code didn’t write it.

Author: mind

JSON