乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2014-01-18: 细节已通知厂商并且等待厂商处理中 2014-01-20: 厂商已经确认,细节仅向厂商公开 2014-01-23: 细节向第三方安全合作伙伴开放 2014-03-16: 细节向核心白帽子及相关领域专家公开 2014-03-26: 细节向普通白帽子公开 2014-04-05: 细节向实习白帽子公开 2014-04-18: 细节向公众公开
ECSHOP手机订单获取有漏洞,导致客户订单资料外泄
elseif ($act == 'order_list'){ $record_count = $db->getOne("SELECT COUNT(*) FROM " .$ecs->table('order_info'). " WHERE user_id = {$_SESSION['user_id']}"); if ($record_count > 0) { include_once(ROOT_PATH . 'includes/lib_transaction.php'); $page_num = '10'; $page = !empty($_GET['page']) ? intval($_GET['page']) : 1; $pages = ceil($record_count / $page_num); if ($page <= 0) { $page = 1; } if ($pages == 0) { $pages = 1; } if ($page > $pages) { $page = $pages; } $pagebar = get_wap_pager($record_count, $page_num, $page, 'user.php?act=order_list', 'page'); $smarty->assign('pagebar' , $pagebar); /* 订单状态 */ $_LANG['os'][OS_UNCONFIRMED] = '未确认'; $_LANG['os'][OS_CONFIRMED] = '已确认'; $_LANG['os'][OS_SPLITED] = '已确认'; $_LANG['os'][OS_SPLITING_PART] = '已确认'; $_LANG['os'][OS_CANCELED] = '已取消'; $_LANG['os'][OS_INVALID] = '无效'; $_LANG['os'][OS_RETURNED] = '退货'; $_LANG['ss'][SS_UNSHIPPED] = '未发货'; $_LANG['ss'][SS_PREPARING] = '配货中'; $_LANG['ss'][SS_SHIPPED] = '已发货'; $_LANG['ss'][SS_RECEIVED] = '收货确认'; $_LANG['ss'][SS_SHIPPED_PART] = '已发货(部分商品)'; $_LANG['ss'][SS_SHIPPED_ING] = '配货中'; // 已分单 $_LANG['ps'][PS_UNPAYED] = '未付款'; $_LANG['ps'][PS_PAYING] = '付款中'; $_LANG['ps'][PS_PAYED] = '已付款'; $_LANG['cancel'] = '取消订单'; $_LANG['pay_money'] = '付款'; $_LANG['view_order'] = '查看订单'; $_LANG['received'] = '确认收货'; $_LANG['ss_received'] = '已完成'; $_LANG['confirm_received'] = '你确认已经收到货物了吗?'; $_LANG['confirm_cancel'] = '您确认要取消该订单吗?取消后此订单将视为无效订单'; $orders = get_user_orders($_SESSION['user_id'], $page_num, $page_num * ($page - 1)); if (!empty($orders)) { foreach ($orders as $key => $val) { $orders[$key]['total_fee'] = encode_output($val['total_fee']); } } //$merge = get_user_merge($_SESSION['user_id']); $smarty->assign('orders', $orders); } $smarty->assign('footer', get_footer()); $smarty->display('order_list.html'); exit;}
没有对访问这个页面的用户进行过滤,直接可以输出所有查询出来的值甚至可以对订单进行操作
去百度 搜索powered by ecshop所有开通手机网站的ecshop商城 域名后加mobile/user.php?act=order_list即可访问所有匿名购买者的订单,并可对其订单进行操作
建议对访问者进行登录验证,非登录用户禁止访问
危害等级:中
漏洞Rank:8
确认时间:2014-01-20 11:18
非常感谢您为shopex信息安全做的贡献我们将尽快修复非常感谢
暂无