[description] The forgotten-password feature in index.php/member/reset/reset_email.html in YzmCMS v3.2 through v3.7 has a Response Discrepancy Information Exposure issue and an unexpectedly long lifetime for a verification code, which makes it easier for remote attackers to hijack accounts via a brute-force approach.
[Additional Information]
- The verification code at the forgotten password can be used to capture the packet without refreshing the page, so that the current verification code is valid for a long time, so as to achieve the purpose of bypassing the verification code for blasting.
- Forgotten password will return different response data according to different account conditions. When the user name does not exist, it will prompt "Username does not exist". When the user name exists, it will prompt "Email failed" or "Email sent successfully". ".
- Through different response data contents, it is possible to directly burst out the existing account information.
[VulnerabilityType] logical Vulnerability
[Vendor of Product] http://www.yzmcms.com
[Affected Product version] yzmcms - v3.2-v3.7
[Affected Component] affected page is the /index.php/member/reset/reset_email.html.
[Attack Vectors] Vulnerability url:http://demo.yzmcms.com/index.php/member/reset/reset_email.html Vulnerability introduce: Account traversal by not bypassing the verification code by refreshing the page the step is : 1 Open the retrieve password page, simulate normal input, and input "user name" and "verification code"; 2. Capture the packet in burp to truncate the current request; 3. the current data packet sent to the intruder module, identification "username" used to traverse account information; 4. Select the dictionary for the account name to open the attack; 5. Check the blasting result; Attempting to perform 972 explosions without prompting "Invalid verification code" The non-existent user data is 1929. The response package prompts "The user does not exist!" The length of the existing user data is 1956, and the response package prompts "The e-mail failed. Please contact the webmaster!" In this way, you can successfully traverse the user name that exists in the dictionary