CMS Tutorial
PHPCMS
PHPCMS vulnerability: authkey generation algorithm problem leads to authkey leakage
PHPCMS vulnerability: authkey generation algorithm problem leads to authkey leakage
About the repair problem of phpcms authkey generation algorithm problem causing authkey leakage
简介: 漏洞名称:phpcms authkey生成算法问题导致authkey泄露 补丁文件:caches/configs/system.php 补丁来源:云盾自研 漏洞描述:phpcms在安装时,由于在同一个页面中连续使用mt_rand(),未进行有效mt_srand();种子随机化操作,导致authkey 存在泄漏风险,黑客可利用该漏洞猜解出网站authkey进而入侵网站。【注意:该补丁修复后会自动修改您网站配置文件中的 auth_key和phpsso_auth_key,并且只会运行一次,修复期间会有部分用户访问的cookies失效导致需要登录网站,除此无其他 影响,可放心升级】 … 阿里云漏洞提示。
Online solution:
1. In /caches/configs/system.php, add the first parameter:
'alivulfix' => 'yes',
After modification, the code screenshot is as follows:
2. Find and modify auth_key, a 20-digit string; just customize what you write.
'auth_key' => '2qKYgs0PgHWWtaFVb3KP', //密钥
3. Find and modify auth_key, a 32-bit string; just customize what you write.
'phpsso_auth_key' => 'hjor66pewop_3qooeamtbiprooteqein', //加密密钥
Note: At this step, it is the same as Alibaba Cloud's Cloud Knight one-click repair.
It’s just that website users can’t log in for the time being, and there is the most important step next.
4. Log in to the phpsso management center in the background. In the navigation menu phpsso ——> Application Management ——> Edit, edit the "communication key" to the value of 'phpsso_auth_key' set in step 3, and then Click Submit.
Screenshots of the key steps are as follows:
After submission, the page shows successful communication, as shown below.
5. Finally, test the login additionally.
You will find that the website can be logged in, and the prompt in the Alibaba Cloud backend about "phpcms authkey generation algorithm problem leads to authkey leakage" has disappeared.
Feedback from Alibaba Cloud, the screenshot is as follows:
If you modify the local file first:
(1) will be modified The file is uploaded to the corresponding file location on the server and overwritten directly;
(2) Then proceed to steps 4 and 5 above.
(3) Finally, log in to the Alibaba Cloud backend and click Verify (screenshot below) to complete the vulnerability repair.
The above is all about the "phpcms authkey generation algorithm problem leading to authkey leakage" vulnerability fix.
PHP Chinese website, a large number of free PHPCMS tutorials, welcome to learn online!
The above is the detailed content of PHPCMS vulnerability: authkey generation algorithm problem leads to authkey leakage. For more information, please follow other related articles on the PHP Chinese website!
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
AI Hentai Generator
Generate AI Hentai for free.
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
1374
52
Jailbreak any large model in 20 steps! More 'grandma loopholes' are discovered automatically
Nov 05, 2023 pm 08:13 PM
In less than a minute and no more than 20 steps, you can bypass security restrictions and successfully jailbreak a large model! And there is no need to know the internal details of the model - only two black box models need to interact, and the AI can fully automatically defeat the AI and speak dangerous content. I heard that the once-popular "Grandma Loophole" has been fixed: Now, facing the "Detective Loophole", "Adventurer Loophole" and "Writer Loophole", what response strategy should artificial intelligence adopt? After a wave of onslaught, GPT-4 couldn't stand it anymore, and directly said that it would poison the water supply system as long as... this or that. The key point is that this is just a small wave of vulnerabilities exposed by the University of Pennsylvania research team, and using their newly developed algorithm, AI can automatically generate various attack prompts. Researchers say this method is better than existing
Buffer overflow vulnerability in Java and its harm
Aug 09, 2023 pm 05:57 PM
Buffer overflow vulnerabilities in Java and their harm Buffer overflow means that when we write more data to a buffer than its capacity, it will cause data to overflow to other memory areas. This overflow behavior is often exploited by hackers, which can lead to serious consequences such as abnormal code execution and system crash. This article will introduce buffer overflow vulnerabilities and their harm in Java, and give code examples to help readers better understand. The buffer classes widely used in Java include ByteBuffer, CharBuffer, and ShortB
How to solve common file upload vulnerabilities in PHP language development?
Jun 10, 2023 am 11:10 AM
In the development of web applications, the file upload function has become a basic requirement. This feature allows users to upload their own files to the server and then store or process them on the server. However, this feature also makes developers need to pay more attention to a security vulnerability: the file upload vulnerability. Attackers can attack the server by uploading malicious files, causing the server to suffer varying degrees of damage. PHP language is one of the languages widely used in web development, and file upload vulnerabilities are also one of the common security issues. This article will introduce
The OpenAI DALL-E 3 model has a vulnerability that generates 'inappropriate content.' A Microsoft employee reported it and was slapped with a 'gag order.'
Feb 04, 2024 pm 02:40 PM
According to news on February 2, Shane Jones, manager of Microsoft’s software engineering department, recently discovered a vulnerability in OpenAI’s DALL-E3 model, which is said to be able to generate a series of inappropriate content. Shane Jones reported the vulnerability to the company, but was asked to keep it confidential. However, he eventually decided to disclose the vulnerability to the outside world. ▲Image source: Report disclosed by ShaneJones. This site noticed that ShaneJones discovered through independent research in December last year that there was a vulnerability in the DALL-E3 model of OpenAI text-generated images. This vulnerability can bypass the AI Guardrail (AIGuardrail), resulting in the generation of a series of NSFW inappropriate content. This discovery attracted widespread attention
Comma operator vulnerabilities and protective measures in Java
Aug 10, 2023 pm 02:21 PM
Overview of Comma Operator Vulnerabilities and Defense Measures in Java: In Java programming, we often use the comma operator to perform multiple operations at the same time. However, sometimes we may overlook some potential vulnerabilities of the comma operator that may lead to unexpected results. This article will introduce the vulnerabilities of the comma operator in Java and provide corresponding protective measures. Usage of comma operator: The syntax of comma operator in Java is expr1, expr2, which can be said to be a sequence operator. Its function is to first calculate ex
What framework is phpcms?
Apr 20, 2024 pm 10:51 PM
PHP CMS is a PHP-based open source content management system for managing website content. Its features include ease of use, powerful functionality, scalability, high security, and free open source. It can save time, improve website quality, enhance collaboration and reduce development costs, and is widely used in various websites such as news websites, blogs, corporate websites, e-commerce websites and community forums.
How to jump to the details page in phpcms
Jul 27, 2023 pm 05:23 PM
How to jump to the details page in phpcms: 1. Use the header function to generate a jump link; 2. Loop through the content list; 3. Get the title and details page link of the content; 4. Generate a jump link.
C++ implementation of midpoint line generation algorithm
Sep 09, 2023 pm 07:49 PM
A line connects two points. It is a basic element in graphics. To draw a line you need two points and you draw a line between these two points on the screen, in terms of graphics we call these points pixels and each pixel is associated with an integer coordinate. We give integer coordinates in the form (x1,y1) and (x2,y2) where x1
