漏洞概要 关注数(24) 关注此漏洞
缺陷编号:wooyun-2012-07585
漏洞标题:支付宝交易信息泄漏等
相关厂商:支付宝
漏洞作者: zeracker
提交时间:2012-05-27 21:01
修复时间:2012-06-01 21:01
公开时间:2012-06-01 21:01
漏洞类型:敏感信息泄露
危害等级:中
自评Rank:10
漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞
漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签: 无
漏洞详情
披露状态:
2012-05-27: 细节已通知厂商并且等待厂商处理中
2012-06-01: 厂商已经主动忽略漏洞,细节向公众公开
简要描述:
详细说明:
https://cashier.alipay.com/standard/result/paymentResult.htm?isSettleSuccess=true&depositId=2011080757367455&outBizNo=2011080701976855&settleStatus=S&bizIdentity=trade30001&orderId=7f2c492f1d4dbd5b9399287470ae9c16&signData=817a3ed0e6fcea78a91046b204689827
https://cashier.alipay.com/standard/result/paymentResult.htm?isSettleSuccess=true&depositId=2011113031140082&outBizNo=2011113068080882&settleStatus=S&bizIdentity=trade30001&orderId=79fcecb20058c85cecdaae6c7a714802&signData=849f245f8eb4af5744bf6c828a69cdea
https://cashier.alipay.com/standard/result/paymentResult.htm?isSettleSuccess=true&depositId=2011112090032338&outBizNo=2011112017277138&settleStatus=S&bizIdentity=trade30001&orderId=1055787abc3a58a92c2b46ce4a717ea3&signData=f9b313cb90033b89aeac126a92e22eaa
https://cashier.alipay.com/standard/result/paymentResult.htm?isSettleSuccess=true&depositId=2011082552069093&outBizNo=2011082511373193&settleStatus=S&bizIdentity=trade30001&orderId=7adcacac85911e25163023b46a4ed737&signData=623dad933f6bf6b1041f70f73eaedc3b
https://cashier.alipay.com/standard/result/paymentResult.htm?isSettleSuccess=true&depositId=2011101324041849&settleStatus=S&errorMsg=&signData=37061723d1268067aa68c294b7baae6a&merVAR=¬ifyData=PD94bWwgIHZlcnNpb249IjEuMCIgZW5jb2Rpbmc9IkdCSyIgc3
https://cashier.alipay.com/standard/result/paymentResult.htm?isSettleSuccess=true&depositId=2011121292986160&settleStatus=S&errorMsg=&signData=d135f6731821523eec72f34cef143572&merVAR=¬ifyData=PD94bWwgIHZlcnNpb249IjEuMCIgZW5jb2Rpbmc9IkdCSyIgc3
https://cashier.alipay.com/standard/result/paymentResult.htm?settleStatus=S&isSettleSuccess=true&depositId=2011031974521180&outBizNo=2011031997740292&bizIdentity=trade30001&orderId=524be3b0711a12b3c9f76c709d839ba3&signData=37e41e2ff3037eca31a01e6f22df5203
https://cashier.alipay.com/standard/result/paymentResult.htm?settleStatus=S&isSettleSuccess=true&depositId=2012052122395041&outBizNo=2012052159566141&bizIdentity=trade30001&orderId=0521cd2cb9db166d38833c0100571418&signData=2d7d60babacbcb514815fd998bed95ee
https://cashier.alipay.com/standard/result/paymentResult.htm?settleStatus=S&isSettleSuccess=true&depositId=2012052122395041&outBizNo=2012052159566141&bizIdentity=trade30001&orderId=0521cd2cb9db166d38833c0100571418&signData=2d7d60babacbcb514815fd998bed95ee
https://cashier.alipay.com/standard/result/paymentResult.htm?isSettleSuccess=true&depositId=2012022599555295&outBizNo=2012022472986595&settleStatus=S&bizIdentity=trade30001&orderId=f8b38c82599b7933c586160029503063&signData=038f19b006a24fa889b4aaa693a2bc76
https://cashier.alipay.com/standard/result/paymentResult.htm?isSettleSuccess=true&depositId=2012010963115297&outBizNo=2012010922053897&settleStatus=S&bizIdentity=trade30001&orderId=d0b4a40c48ee8e6571017de0bfa3063b&signData=c51ec7c214d5b670f9cc25c2aea8b140
https://cashier.alipay.com/standard/result/paymentResult.htm?isSettleSuccess=true&depositId=2011113031140082&outBizNo=2011113068080882&settleStatus=S&bizIdentity=trade30001&orderId=79fcecb20058c85cecdaae6c7a714802&signData=849f245f8eb4af5744bf6c828a69cdea
https://cashier.alipay.com/standard/result/paymentResult.htm?isSettleSuccess=true&depositId=2011121292986160&settleStatus=S&errorMsg=&signData=d135f6731821523eec72f34cef143572&merVAR=¬ifyData=PD94bWwgIHZlcnNpb249IjEuMCIgZW5jb2Rpbmc9IkdCSyIgc3
https://cashier.alipay.com/standard/result/paymentResult.htm?isSettleSuccess=true&depositId=2011111650698047&outBizNo=201111162940116&settleStatus=S&bizIdentity=puc10002&orderId=e2f6b9ff378ec02b2abb12e99523fbf9&signData=7930d106a973ba1df40c391055bad916
订单号很容易获取的。暂时没有进一步去看。
漏洞证明:
https://cashier.alipay.com/standard/result/paymentResult.htm?isSettleSuccess=true&depositId=2011101324041849&settleStatus=S&errorMsg=&signData=37061723d1268067aa68c294b7baae6a&merVAR=¬ifyData=PD94bWwgIHZlcnNpb249IjEuMCIgZW5jb2Rpbmc9IkdCSyIgc3
妈的。上不了图。卡死我了
付款成功,转账到银行卡申请已提交,正在处理。
如果银行信息填写错误资金将自动退回您的付款账户(银行卡或支付宝账户)。
转账详情
到账银行信息:
张锡堂
中国工商银行 (**** **** **** 9370)
到账金额: 7200.00 元
服务费: 12.60 元
备注: 新疆陈万彬购3卷鼠
到账时间: 2012/05/28 24:00 前
付款人: 陈万彬 ([email protected])
到账时间是亮点。今天的。
https://cashier.alipay.com/standard/result/paymentResult.htm?isSettleSuccess=true&depositId=2011080765831692&outBizNo=2011080728676792&settleStatus=S&bizIdentity=trade30001&orderId=5c0cc51a42c6adaeecd8608b3c8e3bf3&signData=e02bfaf843d1461b48cb459af5046474
https://cashier.alipay.com/standard/result/paymentResult.htm?isSettleSuccess=true&depositId=2012022599555295&outBizNo=2012022472986595&settleStatus=S&bizIdentity=trade30001&orderId=f8b38c82599b7933c586160029503063&signData=038f19b006a24fa889b4aaa693a2bc76
https://cashier.alipay.com/standard/result/paymentResult.htm?settleStatus=S&isSettleSuccess=true&depositId=2012052122395041&outBizNo=2012052159566141&bizIdentity=trade30001&orderId=0521cd2cb9db166d38833c0100571418&signData=2d7d60babacbcb514815fd998bed95ee
https://www.google.com.hk/#q=site:http://cashier.alipay.com/+depositId&hl=zh-CN&newwindow=1&safe=strict&prmd=imvns&filter=0&bav=on.2,or.r_gc.r_pw.,cf.osb&fp=439f61648a50666&biw=1163&bih=850
修复方案:
你们懂的。订单号还在看,暂时先提交这么多。
如果还忽略,果断不关注。
版权声明:转载请注明来源 zeracker@乌云
漏洞回应
厂商回应:
危害等级:无影响厂商忽略
忽略时间:2012-06-01 21:01
厂商回复:
漏洞Rank:9 (WooYun评价)
最新状态:
2012-06-02:感谢zeracker,页面为用户在支付宝转账或者交易结束后的结果页面,为用户将链接复制在其他地方,导致被google收录。涉及少量用户信息,后续会加强用户信息的保护,支付宝一直关注并保护用户的隐私信息。