### 简要描述:
PHPYUN设计缺陷验证码形同虚设
### 详细说明:
所有地方的验证码 验证后都未进行过期操作。导致验证码形同虚设
以找回密码为例
model/forgetpw.class.php
```
function sendpw_action()
{
if(md5($_POST["authcode"])!=$_SESSION['authcode']){
$this->obj->ACT_msg("index.php?M=forgetpw","验证码错误","2");
}
$pass =array("A","B","C","D","E","F","G","H","I","J","K","L","M","N","O","P","Q","R","S","T","U","V","W","X","Y","Z","a","b","c","d","e","f","g","h","i","g","k","l","m","n","o","p","q","r","s","t","u","v","w","x","w","z","1","2","3","4","5","6","7","8","9","0");
$len = rand(8,12);
for($i=0;$i<$len;$i++)
{
$k = rand(0,36);
$password.=$pass[$k];
}
$info = $this->obj->DB_select_once("member","`username`='".$_POST["username"]."'");
if(is_array($info))
{
if($this->config['sy_uc_type']=="uc_center" &&$info['name_repeat']!="1")
{
$this->obj->uc_open();
uc_user_edit($info['username'], "", $password, $info['email'],"0");
}else{
$salt = substr(uniqid(rand()), -6);
$pass2 = md5(md5($password).$salt);
$value="`password`='".$pass2."',`salt`='".$salt."'";
$this->obj->DB_update_all("member",$value,"`username`='".$_POST["username"]."'");
}
$this->send_msg_email(array("username"=>$_POST["username"],"password"=>$password,"email"=>$info['email'],"moblie"=>$info['moblie'],"type"=>"getpass"));
$this->obj->ACT_msg("index.php?M=forgetpw", $msg = "新密码已发送到您的邮箱,请查收后登录系统修改密码!", $st = 2, $tm = 3);
}else{
$this->obj->ACT_msg("index.php?M=login", $msg = "对不起!没有该用户!", $st = 2, $tm = 3);
}
}
```
这里验证通过和输入错误后都没有unset session 导致之前的验证码不会过期可以重复使用。
从而只要得知用户邮箱 即可批量帮别人修改密码!
### 漏洞证明:
我这里就不用Bp跑了!
输入邮箱 就可以重置用户密码,怎么都觉得不是很妥,万一用户是假邮箱注册的 岂不是这么一搞密码就永远不知道了啊?
京公网安备 11010502034610号
暂无评论