The BMa 2014/10/22 eliakim
0x00 Background
I read a summary of the password recovery loophole before, and now I see some new situations, write to supplement it.
Link: Possible problems with password recovery
0 x01 review
The seven points already made in the previous article are as follows:
1. The password recovery certificate is weak and easy to be blown up 2. The password recovery certificate can be obtained directly from the client or URL 3. Password recovery certificate can be directly obtained in the web source code 4. The email link of password recovery is easy to guess, such as the MD5 of time 5. Password recovery credential stores are not just a matter of binding to a single user. 6. The mobile phone or email for password retrieval is obtained from the page and can be modified by firebug 7. When submitting the new password, change the user ID to another IDCopy the code0 x02 supplement
Skip the verification steps and retrieve methods, and go directly to the page of setting a new password
WooYun: Change the OPPO mobile phone synchronization password and view the SMS address book at will
2. The verification code was sent without verifying whether the user name and mailbox matched on the server when retrieving the password
WooYun: There is a bug in meizu’s account system that can reset the password of any account
http://www.zhaojin97.cn/read-196.html
The token returned during password reset is not bound with the account and verification code
The meizu password reset problem above
4. The server only verifies the existence of the corresponding authentication information, but does not verify whether it matches the account
WooYun: Reset any account password on OPPO (3)
WooYun: Reset the OPPO account password for the second time.
WooYun: OPPO changes the password of any account
5. Verify the server’s return information locally to determine whether to reset the password, but the return information is controllable content, or available content
WooYun: Oppo resets arbitrary user passwords (4)
6. The action of sending authentication information such as SMS is performed locally and can be controlled by modifying the return packet
WooYun: OPPO Changes the password of any account -3
WooYun: OPPO Changes the password of any account -2
7. When submitting a new password, only part of the controllable information is verified to be matched
WooYun: Random password recovery for AA carpooling 2
There is an injection hole in retrieving the password
WooYun: Another SQL injection vulnerability in E-HR (kill all versions)
0x03 Recovery Plan
Retrieving password credentials is complex and unguessable, any action is put on the server side, the transmission of authentication parameters to do encryption, at the same time to do a good job of filtering parameters