Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Access authorization code captcha vulnerability #13147

Closed
3 tasks done
xzajyjs opened this issue Nov 14, 2024 · 3 comments
Closed
3 tasks done

Access authorization code captcha vulnerability #13147

xzajyjs opened this issue Nov 14, 2024 · 3 comments
Assignees
@88250
Labels
Bug
Milestone
3.1.12

Comments

@xzajyjs
Copy link

xzajyjs commented Nov 14, 2024
edited by 88250
Loading

There is a logic vulnerability in the verification code of the login interface

Is there an existing issue for this?

  • I have searched the existing issues

Can the issue be reproduced with the default theme (daylight/midnight)?

  • I was able to reproduce the issue with the default theme

Could the issue be due to extensions?

  • I've ruled out the possibility that the extension is causing the problem.

Describe the problem

After the front-end enters the correct verification code, the packet is captured and held, and then the current verification code can be used for unlimited replay attacks (the password can be cracked)

Step 1. Capture the packet

image-20241114170406421

Step 2. Use the same verification code to blast password

image-20241114170356960

Step 3. Find the correct password no need verifying the verification code

image-20241114170346964

Expected result

The current verification code lifecycle ends after each login attempt

Screenshot or screen recording presentation

No response

Version environment

- Version: All Versions
- Operating System: All Systems
- Browser (if used): All Browsers

Log file

No need.

More information

No response
@88250
Copy link
Member

88250 commented Nov 14, 2024

Hi, do you mean the captch will not be reset?

@xzajyjs
Copy link
Author

xzajyjs commented Nov 14, 2024

Yes

@88250 88250 self-assigned this Nov 14, 2024
@88250 88250 added the Bug label Nov 14, 2024
@88250 88250 added this to the 3.1.12 milestone Nov 14, 2024
@88250
Copy link
Member

88250 commented Nov 14, 2024

Thanks for the feedback, I have been able to reproduce the issue and will fix it in the next version.

@88250 88250 changed the title There is a logic vulnerability in the verification code of the login interface Access authorization code vulnerability Nov 14, 2024
@88250 88250 changed the title Access authorization code vulnerability Access authorization code captcha vulnerability Nov 15, 2024
88250 added a commit that referenced this issue Nov 15, 2024
@88250
🎨 Access authorization code captcha vulnerability #13147
f34dd62
@88250 88250 closed this as completed Nov 15, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@88250 88250

Labels
Bug
Projects
None yet
Milestone
3.1.12
Development

No branches or pull requests
2 participants
@88250 @xzajyjs