BUG_Author:
BinXiang Wei
Vendor:
https://www.kaoshifeng.com/
Vulnerability File:
https://school.yfhl.net/#/login
Affected product name:
Beijing Yunfan Internet Technology Co., Ltd. Yunfan Learning Examination System
Affected version: V6.5
Root cause:
Due to logical errors in password verification, it is possible for any user to log in
Proof of vulnerability:
2. Log in using the admin account and fill in the password freely 3. Due to the restriction of entering a password in the front-end, it is necessary to intercept login packets and set the password value to null 4. Release the modified data packet and successfully bypass verification to log in to the management backend