提交 #632536: HuangDou UTCMS V9 login function verification code bypasses vulnerability信息

标题HuangDou UTCMS V9 login function verification code bypasses vulnerability
描述The background login page of UTCMS V9 (app/modules/ut-frame/admin/login.php) has a logical flaw in verifying the verification code submitted by the user. Due to the loose == comparison operator used, and in some cases $_SESSION['authcode'] may be null, an attacker can bypass verification by submitting an empty verification code. "" == null is judged to be true in PHP, which completely invalidates the verification code mechanism. This allows attackers to perform dictionary attacks or brute force cracking on backend user accounts without restrictions.
来源⚠️ https://github.com/August829/Yu/blob/main/20250811_2.md
用户
 Yu Bao (UID 88956)
提交2025-08-12 15時47分 (11 月前)
管理2025-08-24 16時52分 (12 days later)
状态已接受
VulDB条目321237 [HuangDou UTCMS 9 Login login.php code 权限提升]
积分20

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!