Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

注册时的邮箱和用户名验证/忘记密码没有防爆破保护与验证码 #37

Open
sparkcyf opened this issue Jan 1, 2024 · 0 comments
Open

注册时的邮箱和用户名验证/忘记密码没有防爆破保护与验证码 #37

sparkcyf opened this issue Jan 1, 2024 · 0 comments

Comments

@sparkcyf
Copy link

sparkcyf commented Jan 1, 2024

最近有人刷本校评课网站的忘记密码的邮件发送接口,才注意到这个问题:

  • icourse在注册阶段会通过reg_verify这个api检查邮箱和用户名有没有被注册过,但这个api没有做限制Origin或者限制session的措施,在邮件规则已知的情况下(比如邮箱前缀都是数字的学生邮箱)可能会被人快速穷举
  • 注册和重置密码的控件都没有验证码,可能会导致有人恶意刷邮件

ustc-course/app/views/api.py

Lines 255 to 264 in 5556d25

@api.route('/reg_verify', methods=['GET'])
def reg_verify():
name = request.args.get('name')
value = request.args.get('value')
if name == 'username':
return validate_username(value)
elif name == 'email':
return validate_email(value)
return 'Invalid Request', 400

可能的解决方案:提交注册或忘记密码表单前加验证码 ( SUSTech-CRA@021e06a ) 或表单验证 ( SUSTech-CRA@05001e9
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@sparkcyf