Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

注册时的邮箱和用户名验证/忘记密码没有防爆破保护与验证码 #37

Open
sparkcyf opened this issue Jan 1, 2024 · 0 comments
Open

注册时的邮箱和用户名验证/忘记密码没有防爆破保护与验证码 #37

sparkcyf opened this issue Jan 1, 2024 · 0 comments

Comments

@sparkcyf
Copy link

sparkcyf commented Jan 1, 2024

最近有人刷本校评课网站的忘记密码的邮件发送接口,才注意到这个问题:

  • icourse在注册阶段会通过reg_verify这个api检查邮箱和用户名有没有被注册过,但这个api没有做限制Origin或者限制session的措施,在邮件规则已知的情况下(比如邮箱前缀都是数字的学生邮箱)可能会被人快速穷举
  • 注册和重置密码的控件都没有验证码,可能会导致有人恶意刷邮件

ustc-course/app/views/api.py

Lines 255 to 264 in 5556d25

@api.route('/reg_verify', methods=['GET'])
def reg_verify():
name = request.args.get('name')
value = request.args.get('value')
if name == 'username':
return validate_username(value)
elif name == 'email':
return validate_email(value)
return 'Invalid Request', 400

可能的解决方案:提交注册或忘记密码表单前加验证码 ( SUSTech-CRA@021e06a ) 或表单验证 ( SUSTech-CRA@05001e9
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@sparkcyf