Illegal websites should not initiate any form of manual service requests to our staff. It is strictly prohibited to use honmau Media's technical support services and products to engage in any illegal activities. If discovered, no technical support will be provided.×

Technology company

  • - Provide network technology solutions-
    • Current location:home> news > industry information
    website Hosting Development Short video Cloud Server

    Discuz! A high-risk security vulnerability has occurred in X UCenter. Please fix it as soon as possible!

    • industry information
    • 2021-08-07
    • Discuz!
    • 0

    20210807092219.png

    Recently,discuz! Security Center detected a risk security issue at UCenter andThis may cause some sites to fail to correctly count the number of login failures, resulting in the risk of sites being blasted by passwords.Through specially configured or designed programs, accounts can be illegally controlled by cracking passwords unlimited times.

    vulnerability details

    At Discuz! In the X3.2 Release 20141225 version and UCenter software released during the same period, a partially effective "Allow user login failures" feature was developed. However, this feature was not fully developed and only the functional items on the interface were annotated. Subsequent versions did not continue to develop, resulting in the login_failedtime of some sites being set to 0 when saved at the basic settings in the UCenter background. However, due to the differences in how different function items handle 0, the system's method of handling this situation is not to record the number of login failures but to return it 4 times in the prompt message, resulting in a vulnerability. Therefore, if your website enters the wrong password no matter how many times you are prompted, you can still try 4 times, so please update and repair it immediately.

    Discuz! When X is installed, this vulnerability will not be triggered by default. Only when an administrator enters UCenter and sets and saves UCenter settings will login_failedtime be set to 0, thus triggering the vulnerability.

    risk level

    high

    affected version

    Discuz! X All versions between December 25, 2014 and June 28, 2021 (X3.2, X3.3, X3.4, X3.5)

    Users who use UCenter alone, please refer to the above date comparison document

    You can go to the Application Center to download "June 2021 New vulnerability special detection and repair tool", check whether your site has been affected.
    secure version

    Discuz 2021-06-29 and beyond! X and UCenter

    Repair suggestions

    1. Currently, the government has fixed the vulnerability and recommended that affected users upgrade to the latest version as soon as possible:https://gitee.com/Discuz/DiscuzX/attach_files

    2. Users who cannot upgrade the latest version can run "June 2021 New vulnerability special detection and repair tool"Fix the erroneous data and refer to https://gitee.com/Discuz/DiscuzX/pulls/1092 Modify site files.

    [Note]: It is recommended that you backup data before upgrading, test and evaluate business performance, and avoid accidents

    Discuz! UCenter

    © Website copyright and disclaimer

    1.[honmau Media] independently owns the copyright of all materials on relevant pages of this website;

    2. No one is allowed to copy it without the express written permission of [honmau Media];

    3. The articles that do not indicate "honmau Media" on this website are all from the Internet and are only for everyone to learn and refer;

    4. If there is any infringement/violation/irregularity, please contact customer service QQ or email to delete it, please understand;

    5.[honmau Media] reserves the right to correct, modify and update this statement at any time.legal notice

    Message Board
    * Contact customer service for urgent issues
    submitted
    submission
    demand
    service
    Working days: 8:30 - 22:00 Online QQ

    customer service

    Company Introduction
    Taobao
    top