HuangDou UTCMS Code Verification Bypass Vulnerability in Login Component
Vulnerability
A vulnerability exists in HuangDou UTCMS version 9, specifically within the login verification process. The issue arises in the file 'app/modules/ut-frame/admin/login.php', where the verification code submitted by users is improperly validated. This flaw allows an attacker to bypass the verification by sending an empty code, exploiting PHP's loose comparison of null values. As a result, the verification mechanism is rendered ineffective, potentially enabling unauthorized access to user accounts through brute force or dictionary attack methods.
Impact
Exploitation of this vulnerability allows for unauthorized login by bypassing the verification code requirement, which could lead to unauthorized access to user accounts.
Reproduction
To reproduce this vulnerability, send a POST request to the login endpoint without including the 'code' parameter, or leave it empty. Ensure that the 'username' and 'password' fields are filled with valid credentials. The server will receive an empty 'code' parameter, which PHP interprets as a valid verification code, thereby bypassing the verification process.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.