关联漏洞
标题:
Octobercms 安全漏洞
(CVE-2021-32648)
描述:Octobercms是美国Octobercms公司的一个基于Php的Cms建站系统。 octobercms october 存在安全漏洞,该漏洞源于在 october/system 软件包的受影响版本中,攻击者可以请求重置帐户密码,然后使用特制的请求访问帐户。
描述
Patch your code for October CMS Auth Bypass CVE-2021-32648
介绍
# CVE-2021-32648
Patch your code for October CMS Auth Bypass CVE-2021-32648
# Instructions
1. Open the file **vendor/october/rain/src/Auth/Models/User.php**
2. [Perform the patch found in these diff notes](https://github.com/daftspunk/CVE-2021-32648/commit/7dc2ce8b6d64a1954089aece560ef9f3e319b7a9)
3. Save the file
# Overview
You are converting a loose comparison to a strict comparison by replacing two (2) equal signs `==` with three (3) equal signs `===`. This blocks the attack vector as described in [CVE-2021-32648](https://github.com/octobercms/october/security/advisories/GHSA-mxr5-mc97-63rc) and also [CVE-2021-29487](https://github.com/octobercms/october/security/advisories/GHSA-h76r-vgf3-j6w5).
This issue has been patched in October CMS Build 472 (v1.0.472+) and v1.1.5+. This issue does not affect v2.0.0+.
文件快照
[4.0K] /data/pocs/ec94bbd99fc39f081a6a176bfaa3314156ce05ac
├── [ 828] README.md
└── [ 17K] User.php
0 directories, 2 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。