funadmin Weak Password Recovery Vulnerability in Member.php

A vulnerability allowing arbitrary password resets has been identified in funadmin versions through 7.1.0-rc4. The issue resides in the repass function of app/frontend/controller/Member.php, where password reset verification is inadequately implemented. The function compares a user-controllable cookie value, forget_code, with a POST parameter, vercode. This flaw allows attackers to manipulate these values and bypass verification, enabling them to reset passwords for any user by altering the user ID parameter. The vulnerability can be exploited remotely, and a public proof-of-concept exploit is available.

Impact

Exploitation of this vulnerability allows for unauthorized password resets, enabling attackers to gain access to user accounts. This issue has been classified under CWE-640, which pertains to weak password recovery mechanisms.

Reproduction

To reproduce this vulnerability, send a POST request to the repass function in app/frontend/controller/Member.php. Include a manipulated forget_code value that bypasses the captcha verification, and alter the user ID parameter to target a specific user. The password for the specified user will be reset to a new value, which can then be used to log in as that user.