-
Description:
- Bypasses CAPTCHA restrictions to perform password guessing attacks against the website administrator account.
- Impact:
- Under certain conditions, the admin account can be cracked, leading to unauthorized login, website defacement, and establishing a foothold for further attacks.
- Solution:
-
Option 1:
Official patch: http://bbs.phpcms.cn/thread-877921-1-1.html
Option 2:
if(file_exists(CACHE_PATH.'phpsso_install.lock')) {
exit('-4');
} else {
file_put_contents(CACHE_PATH.'phpsso_install.lock', '1');
}
Add the code above into phpsso_server/api/install.php at approximately line 13, or download the official patch and compare it against install.php.Option 3:
In phpsso_server/api/install.php, change the numeric value inside the second-to-last exit('-2'); to any other value.
Note: Options 2 and 3 are intended for users with custom/secondary development.