Shulou(Shulou.com)06/01 Report--

Discuz 3.4 is the latest version of discuz Forum, and it is also the most stable community forum system since X3.2 and X3.3. At present, the official has stopped updating and upgrading the old version of the patch, and it has been updated directly on X3.4. Recently, when our SINE security was testing its security, we found a vulnerability in the website. The vulnerability is due to the Wechat interface that users call when logging in to the forum, which makes it possible to log in arbitrarily, or even log in to the administrator's account.

Details about Discuz vulnerabilities

The vulnerability occurs in lines 220-240 of the wechat.inc.php code in the wechat directory under the plugin folder, as follows:

We can see how the designer of the logic function in the code will first query the ID of the Wechat API from the member's data table to see if there is a corresponding and bound member account in the membership table. If there is a database, the data will be returned to the front end. Then proceed to the next step, from the common table to get the user ID of the member's UID value, as well as all the user's information.

According to the design logic of discuz, we can see that as long as we know that users use Wechat interface openid, we can log in to other users' accounts. Let's take a closer look at discuz's document about Wechat API interface. The value of openid is unchanged. Only when users bind WeChat accounts to the forum can they get this OpenID value from the official account, which cannot be obtained under normal request.

Then we can fake parameters to try to log in, and the security test will see if we can get other people's openid values. We log in with a user whose id is empty, and find that we can log in but not bind any forum account, but register a new account to the forum. From the whole logic code, we found a loophole that can unbind any Wechat bound by ID, and then we log in to the account with empty openid, and we find that we can log in to any member's account. The screenshot is as follows:

If the administrator's account is bound to Wechat login, then we can unbind his ID, and we can log in with an empty ID to enter the administrator account. With regard to the repair of vulnerabilities in the discuz website, it is recommended that the website manager delete the code and comment out all the 230th to 247th lines of code in plugin/wechat/wechat.inc.php. Website loophole repair, you can compare the version of the program system to upgrade, you can also find programmers to repair, if you write your own website familiar with it, not your own, it is recommended to find professional website security companies to deal with and solve the problem of website tampering, such as Sinesafe, Green League security service providers that specialize in website security protection to help.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.