乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2012-10-18: 细节已通知厂商并且等待厂商处理中 2012-10-23: 厂商已经主动忽略漏洞,细节向公众公开
普通会员登录网站后,通过恶意构造的URL可以实现对整个网站的收货地址查看、修改、和删除。造成用户敏感隐私泄漏和网站不必要的损失。
core/shop/controller/ctl.member.php文件
//修改收货地址 function modifyReceiver($addrId){ $oMem = &$this->system->loadModel('member/member'); if($aRet = $oMem->getAddrById($addrId)){ $aRet['defOpt'] = array('0'=>__('否'), '1'=>__('是')); $this->pagedata = $aRet; }else{ $this->system->error(404); exit; } $this->_output(); } function saveRec(){ $this->begin($this->system->mkUrl('member','modifyReceiver',array($_POST['addr_id']))); $oMem = &$this->system->loadModel('member/member'); if($oMem->saveRec($_POST,$this->member['member_id'],$message)){ $this->redirect('member','receiver'); } trigger_error($message, E_USER_ERROR); $this->end(false,__('修改失败'),$this->system->mkUrl('member','modifyReceiver',array($_POST['addr_id']))); } //删除收货地址 function delRec($addrId){ $oMem = &$this->system->loadModel('member/member'); if($oMem->delRec($addrId)){ $this->redirect('member','receiver'); } $this->_output(); }
以上三个函数没有对所修改的地址所属用户ID进行判断,造成用户信息泄漏和安全隐患。
打开任意shopex4.85网站,注册会员登录后,修改以下URL中的ID属性/?member-21-modifyReceiver.html 可显示和修改其他用户的地址/?member-21-delRec.html 可删除其他用户的地址
函数添加对用户ID的判断
//修改收货地址 function modifyReceiver($addrId){ $oMem = &$this->system->loadModel('member/member'); if($aRet = $oMem->getAddrById($addrId)){ if($aRet['member_id']!=$this->member['member_id']){ $this->system->error(404); exit; }else{ $aRet['defOpt'] = array('0'=>__('否'), '1'=>__('是')); $this->pagedata = $aRet; } }else{ $this->system->error(404); exit; } $this->_output(); } function saveRec(){ $this->begin($this->system->mkUrl('member','modifyReceiver',array($_POST['addr_id']))); $oMem = &$this->system->loadModel('member/member'); foreach($_POST as $ke=>$ve){ $_POST[$ke] = strip_tags($ve); } if($aRet = $oMem->getAddrById($_POST['addr_id'])){ if($aRet['member_id']!=$this->member['member_id']){ $this->system->error(404); exit; } } if($oMem->saveRec($_POST,$this->member['member_id'],$message)){ $this->redirect('member','receiver'); } trigger_error($message, E_USER_ERROR); $this->end(false,__('修改失败'),$this->system->mkUrl('member','modifyReceiver',array($_POST['addr_id']))); } //删除收货地址 function delRec($addrId){ $oMem = &$this->system->loadModel('member/member'); if($aRet = $oMem->getAddrById($_POST['addr_id'])){ if($aRet['member_id']!=$this->member['member_id']){ $this->system->error(404); exit; } } if($oMem->delRec($addrId)){ $this->redirect('member','receiver'); } $this->_output(); }
危害等级:无影响厂商忽略
忽略时间:2012-10-23 10:54
2012-10-23: 额。。貌似没收到通知邮件不好意思。这个问题一直存在,在修改感谢您的提交非常感谢