-
Notifications
You must be signed in to change notification settings - Fork 197
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
change the user password by brute force cracking #19
Comments
package: POST /api/User/ChangePassword/1/§whoami123§/whoami1234/189 HTTP/1.1 |
The impact code in IceCMS/IceWk-ment/src/main/java/com/ttice/icewkment/controller/UserController.java:
if(!claims){
//前端接收后进行处理
Result.fail(403,"Token已过期",null);
}
//验证之前密码是否正确
QueryWrapper wrapper = new QueryWrapper<>();
wrapper.eq("user_id",userid);
User usercheak = userMapper.selectOne(wrapper);
String password = usercheak.getPassword();
if(Objects.equals(password, yuanPassWord)) {
User user = new User();
user.setUserId(userid);
user.setPassword(NewPassWord);
userMapper.updateById(user);
return Result.succ(200, "修改成功", null);
}
Changing the password does not need to verify the current jwt, so after getting this api address, Hacker can change the password by brute force cracking ,especially when the user password is weak。
The text was updated successfully, but these errors were encountered: