aspcms会员中心的某些页面，对用户的验证存在缺陷，修改cookie后提交即可重置任意用户的帐号信息。


'member/reg.asp
dim action : action=getform("action","get")
if action = "reg" then
       addUser()
elseif action = "editpass" then
       editUser()
else
       echoContent()
end if
'第3-10行 接受一个get请求,如果action为editpass时候执行editUser过程
Sub editUser www.2cto.com
       dim LoginName,userPass,reuserPass,Email,Mobile,Address,PostCode,Gender,QQ,TrueName,Phone
       LoginName=trim(rCookie("loginName"))     
       userPass=getForm("userPass","post")  
       reuserPass=getForm("reuserPass","post")          
      
       Email=filterPara(getForm("Email","post"))
       Mobile=filterPara(getForm("Mobile","post"))
       Address=filterPara(getForm("Address","post"))
       PostCode=filterPara(getForm("PostCode","post"))
       Gender=filterPara(getForm("Gender","post"))
       QQ=filterPara(getForm("QQ","post"))
       TrueName=filterPara(getForm("TrueName","post"))
       Phone=filterPara(getForm("Phone","post"))
 
      
       if userPass<>reuserPass then alertMsgAndGo "两次输入密码不相同","-1"    
      
       dim passStr
       if not isnul(userPass) then passStr="[Password]='"&md5(userPass,16)&"',"   
 
       Conn.Exec"update {prefix}User set "&passStr&" Email='"&Email&"',QQ='"&QQ&"',Mobile='"&Mobile&"',Address='"&Address&"',PostCode='"&PostCode&"',Gender="&Gender&",Phone='"&Phone&"',TrueName='"&TrueName&"' where LoginName='"&LoginName&"'","exe" 
       alertMsgAndGo "修改成功","editPass.asp"  
End Sub

'第24-47行 是editUser过程
'从中可以看出，对用户修改密码根本没做任何验证，cookie值是我们可以修改的
'将LoginName值修改为admin提交修改即可重置管理员信息
'同样存在此问题的还有userinfo.asp 页面

 
 
修复方案：

外部提交，加强用户验证


作者：viekst