其实吧,这不算是个漏洞~😂
从CVE-2020-21493披露漏洞信息:Xiuno BBS 中存在访问控制错误漏洞,该漏洞源于产品route/user.php允许对用户名进行检索。以下产品及版本受到影响:Xiuno BBS v4.0.4 版本。
route\user.php line 67-82; include _include(APP_PATH.'view/htm/user_login.htm'); } else if($method == 'POST') { // hook user_login_post_start.php $email = param('email'); // 邮箱或者手机号 / email or mobile $password = param('password'); empty($email) AND message('email', lang('email_is_empty')); if(is_email($email, $err)) { $_user = user_read_by_email($email); empty($_user) AND message('email', lang('email_not_exists')); } else { $_user = user_read_by_username($email); empty($_user) AND message('email', lang('username_not_exists')); } lang\zh-cn\bbs.php line 120; 'username_not_exists' => '用户名不存在', Know the username by traversing the login parameter value email=...& POC: POST /?user-login.htm HTTP/1.1 Host: 192.168.1.5 Content-Length: 54 Accept: text/plain, */*; q=0.01 Origin: http://127.0.0.1 X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3941.4 Safari/537.36 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Referer: http://127.0.0.1/?user-login.htm Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: bbs_sid=c0ku6ujq1411p9fqbf9vvdricn Connection: close email=test&password=4297f44b13955235245b2497399d7a93 Response HTTP/1.1 200 OK Date: Thu, 05 Dec 2019 14:51:29 GMT Server: Apache/2.4.23 (Win32) OpenSSL/1.0.2j mod_fcgid/2.3.9 X-Powered-By: PHP/7.2.1 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 60 { "code": "email", "message": "用户名不存在" }
route\user.php line 67-82;
include _include(APP_PATH.'view/htm/user_login.htm'); } else if($method == 'POST') { // hook user_login_post_start.php $email = param('email'); // 邮箱或者手机号 / email or mobile $password = param('password'); empty($email) AND message('email', lang('email_is_empty')); if(is_email($email, $err)) { $_user = user_read_by_email($email); empty($_user) AND message('email', lang('email_not_exists')); } else { $_user = user_read_by_username($email); empty($_user) AND message('email', lang('username_not_exists')); }
lang\zh-cn\bbs.php line 120;
'username_not_exists' => '用户名不存在',
Know the username by traversing the login parameter value
email=...&
POC:
POST /?user-login.htm HTTP/1.1 Host: 192.168.1.5 Content-Length: 54 Accept: text/plain, */*; q=0.01 Origin: http://127.0.0.1 X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3941.4 Safari/537.36 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Referer: http://127.0.0.1/?user-login.htm Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: bbs_sid=c0ku6ujq1411p9fqbf9vvdricn Connection: close email=test&password=4297f44b13955235245b2497399d7a93
Response
HTTP/1.1 200 OK Date: Thu, 05 Dec 2019 14:51:29 GMT Server: Apache/2.4.23 (Win32) OpenSSL/1.0.2j mod_fcgid/2.3.9 X-Powered-By: PHP/7.2.1 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 60 { "code": "email", "message": "用户名不存在" }
简单来说,就是在xiuno的登陆页面,邮箱故意输入错误字符test,密码任意字符,点击登录按钮会提示“用户名不存在”。
按提交者思考逻辑,检查到错误邮箱地址时,错误的执行了用户查询函数(将邮箱作为用户名);但实际上,这正是xiuno登录的功能,同时检查有没有用邮箱作为用户名注册的用户,从而实现登录接口从“邮箱+密码”或“用户名+密码”登录。可能是因为参数名称固定为email而导致了误解。
不过这里既然被人作为漏洞提出来了,那就勉为其难的“修复”吧。
从上面的描述,我们发现route/user.php文件的第80-81行,
$_user = user_read_by_username($email); empty($_user) AND message('email', lang('username_not_exists'));
这两行代码完全没有必要,我们可以改成:
message('email', $err);
这样就可以直接弹出is_email函数返回的报错信息了。
所以按上述方法便可以修复该漏洞了,但同时失去了使用“用户名+密码”登录的功能。
暂无回复,快来抢沙发吧
版块
人生倒计时
~扫~码~领~红~包~
管理员组
