提出 #632536: HuangDou UTCMS V9 login function verification code bypasses vulnerability情報

タイトルHuangDou UTCMS V9 login function verification code bypasses vulnerability
説明The background login page of UTCMS V9 (app/modules/ut-frame/admin/login.php) has a logical flaw in verifying the verification code submitted by the user. Due to the loose == comparison operator used, and in some cases $_SESSION['authcode'] may be null, an attacker can bypass verification by submitting an empty verification code. "" == null is judged to be true in PHP, which completely invalidates the verification code mechanism. This allows attackers to perform dictionary attacks or brute force cracking on backend user accounts without restrictions.
ソース⚠️ https://github.com/August829/Yu/blob/main/20250811_2.md
ユーザー
 Yu Bao (UID 88956)
送信2025年08月12日 15:47 (11 月 ago)
モデレーション2025年08月24日 16:52 (12 days later)
ステータス承諾済み
VulDBエントリ321237 [HuangDou UTCMS 9 Login login.php code 特権昇格]
ポイント20

Want to stay up to date on a daily basis?

Enable the mail alert feature now!