Home > CMS Tutorial > PHPCMS > body text

PHPCMS vulnerability: authkey generation algorithm problem leads to authkey leakage

爱喝马黛茶的安东尼
Release: 2019-11-21 09:47:17
forward
4517 people have browsed it

PHPCMS vulnerability: authkey generation algorithm problem leads to authkey leakage

About the repair problem of phpcms authkey generation algorithm problem causing authkey leakage

简介:
漏洞名称:phpcms authkey生成算法问题导致authkey泄露
补丁文件:caches/configs/system.php
补丁来源:云盾自研
漏洞描述:phpcms在安装时,由于在同一个页面中连续使用mt_rand(),未进行有效mt_srand();种子随机化操作,导致authkey
存在泄漏风险,黑客可利用该漏洞猜解出网站authkey进而入侵网站。【注意:该补丁修复后会自动修改您网站配置文件中的
auth_key和phpsso_auth_key,并且只会运行一次,修复期间会有部分用户访问的cookies失效导致需要登录网站,除此无其他
影响,可放心升级】
…
阿里云漏洞提示。
Copy after login

Online solution:

1. In /caches/configs/system.php, add the first parameter:

'alivulfix' => 'yes',
Copy after login

After modification, the code screenshot is as follows:

PHPCMS vulnerability: authkey generation algorithm problem leads to authkey leakage

2. Find and modify auth_key, a 20-digit string; just customize what you write.

'auth_key' => '2qKYgs0PgHWWtaFVb3KP', //密钥
Copy after login

3. Find and modify auth_key, a 32-bit string; just customize what you write.

'phpsso_auth_key' => 'hjor66pewop_3qooeamtbiprooteqein', //加密密钥
Copy after login

Note: At this step, it is the same as Alibaba Cloud's Cloud Knight one-click repair.

It’s just that website users can’t log in for the time being, and there is the most important step next.

4. Log in to the phpsso management center in the background. In the navigation menu phpsso ——> Application Management ——> Edit, edit the "communication key" to the value of 'phpsso_auth_key' set in step 3, and then Click Submit.

Screenshots of the key steps are as follows:

PHPCMS vulnerability: authkey generation algorithm problem leads to authkey leakage

After submission, the page shows successful communication, as shown below.

PHPCMS vulnerability: authkey generation algorithm problem leads to authkey leakage

5. Finally, test the login additionally.

You will find that the website can be logged in, and the prompt in the Alibaba Cloud backend about "phpcms authkey generation algorithm problem leads to authkey leakage" has disappeared.

Feedback from Alibaba Cloud, the screenshot is as follows:

PHPCMS vulnerability: authkey generation algorithm problem leads to authkey leakage

If you modify the local file first:

(1) will be modified The file is uploaded to the corresponding file location on the server and overwritten directly;

(2) Then proceed to steps 4 and 5 above.

(3) Finally, log in to the Alibaba Cloud backend and click Verify (screenshot below) to complete the vulnerability repair.

PHPCMS vulnerability: authkey generation algorithm problem leads to authkey leakage

The above is all about the "phpcms authkey generation algorithm problem leading to authkey leakage" vulnerability fix.

PHP Chinese website, a large number of free PHPCMS tutorials, welcome to learn online!

The above is the detailed content of PHPCMS vulnerability: authkey generation algorithm problem leads to authkey leakage. For more information, please follow other related articles on the PHP Chinese website!

source:csdn.net
Statement of this Website
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn
Popular Tutorials
More>
Latest Downloads
More>
Web Effects
Website Source Code
Website Materials
Front End Template