当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-049250

漏洞标题:ECSHOP手机订单程序漏洞能获取大量用户信息

相关厂商:ShopEx

漏洞作者: Mr.Zhang

提交时间:2014-01-18 20:11

修复时间:2014-04-18 20:11

公开时间:2014-04-18 20:11

漏洞类型:重要资料/文档外泄

危害等级:中

自评Rank:6

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-01-18: 细节已通知厂商并且等待厂商处理中
2014-01-20: 厂商已经确认,细节仅向厂商公开
2014-01-23: 细节向第三方安全合作伙伴开放
2014-03-16: 细节向核心白帽子及相关领域专家公开
2014-03-26: 细节向普通白帽子公开
2014-04-05: 细节向实习白帽子公开
2014-04-18: 细节向公众公开

简要描述:

ECSHOP手机订单获取有漏洞,导致客户订单资料外泄

详细说明:

elseif ($act == 'order_list')
{
$record_count = $db->getOne("SELECT COUNT(*) FROM " .$ecs->table('order_info'). " WHERE user_id = {$_SESSION['user_id']}");
if ($record_count > 0)
{
include_once(ROOT_PATH . 'includes/lib_transaction.php');
$page_num = '10';
$page = !empty($_GET['page']) ? intval($_GET['page']) : 1;
$pages = ceil($record_count / $page_num);
if ($page <= 0)
{
$page = 1;
}
if ($pages == 0)
{
$pages = 1;
}
if ($page > $pages)
{
$page = $pages;
}
$pagebar = get_wap_pager($record_count, $page_num, $page, 'user.php?act=order_list', 'page');
$smarty->assign('pagebar' , $pagebar);
/* 订单状态 */
$_LANG['os'][OS_UNCONFIRMED] = '未确认';
$_LANG['os'][OS_CONFIRMED] = '已确认';
$_LANG['os'][OS_SPLITED] = '已确认';
$_LANG['os'][OS_SPLITING_PART] = '已确认';
$_LANG['os'][OS_CANCELED] = '已取消';
$_LANG['os'][OS_INVALID] = '无效';
$_LANG['os'][OS_RETURNED] = '退货';
$_LANG['ss'][SS_UNSHIPPED] = '未发货';
$_LANG['ss'][SS_PREPARING] = '配货中';
$_LANG['ss'][SS_SHIPPED] = '已发货';
$_LANG['ss'][SS_RECEIVED] = '收货确认';
$_LANG['ss'][SS_SHIPPED_PART] = '已发货(部分商品)';
$_LANG['ss'][SS_SHIPPED_ING] = '配货中'; // 已分单
$_LANG['ps'][PS_UNPAYED] = '未付款';
$_LANG['ps'][PS_PAYING] = '付款中';
$_LANG['ps'][PS_PAYED] = '已付款';
$_LANG['cancel'] = '取消订单';
$_LANG['pay_money'] = '付款';
$_LANG['view_order'] = '查看订单';
$_LANG['received'] = '确认收货';
$_LANG['ss_received'] = '已完成';
$_LANG['confirm_received'] = '你确认已经收到货物了吗?';
$_LANG['confirm_cancel'] = '您确认要取消该订单吗?取消后此订单将视为无效订单';
$orders = get_user_orders($_SESSION['user_id'], $page_num, $page_num * ($page - 1));
if (!empty($orders))
{
foreach ($orders as $key => $val)
{
$orders[$key]['total_fee'] = encode_output($val['total_fee']);
}
}
//$merge = get_user_merge($_SESSION['user_id']);
$smarty->assign('orders', $orders);
}
$smarty->assign('footer', get_footer());
$smarty->display('order_list.html');
exit;
}


没有对访问这个页面的用户进行过滤,直接可以输出所有查询出来的值
甚至可以对订单进行操作

漏洞证明:

elseif ($act == 'order_list')
{
$record_count = $db->getOne("SELECT COUNT(*) FROM " .$ecs->table('order_info'). " WHERE user_id = {$_SESSION['user_id']}");
if ($record_count > 0)
{
include_once(ROOT_PATH . 'includes/lib_transaction.php');
$page_num = '10';
$page = !empty($_GET['page']) ? intval($_GET['page']) : 1;
$pages = ceil($record_count / $page_num);
if ($page <= 0)
{
$page = 1;
}
if ($pages == 0)
{
$pages = 1;
}
if ($page > $pages)
{
$page = $pages;
}
$pagebar = get_wap_pager($record_count, $page_num, $page, 'user.php?act=order_list', 'page');
$smarty->assign('pagebar' , $pagebar);
/* 订单状态 */
$_LANG['os'][OS_UNCONFIRMED] = '未确认';
$_LANG['os'][OS_CONFIRMED] = '已确认';
$_LANG['os'][OS_SPLITED] = '已确认';
$_LANG['os'][OS_SPLITING_PART] = '已确认';
$_LANG['os'][OS_CANCELED] = '已取消';
$_LANG['os'][OS_INVALID] = '无效';
$_LANG['os'][OS_RETURNED] = '退货';
$_LANG['ss'][SS_UNSHIPPED] = '未发货';
$_LANG['ss'][SS_PREPARING] = '配货中';
$_LANG['ss'][SS_SHIPPED] = '已发货';
$_LANG['ss'][SS_RECEIVED] = '收货确认';
$_LANG['ss'][SS_SHIPPED_PART] = '已发货(部分商品)';
$_LANG['ss'][SS_SHIPPED_ING] = '配货中'; // 已分单
$_LANG['ps'][PS_UNPAYED] = '未付款';
$_LANG['ps'][PS_PAYING] = '付款中';
$_LANG['ps'][PS_PAYED] = '已付款';
$_LANG['cancel'] = '取消订单';
$_LANG['pay_money'] = '付款';
$_LANG['view_order'] = '查看订单';
$_LANG['received'] = '确认收货';
$_LANG['ss_received'] = '已完成';
$_LANG['confirm_received'] = '你确认已经收到货物了吗?';
$_LANG['confirm_cancel'] = '您确认要取消该订单吗?取消后此订单将视为无效订单';
$orders = get_user_orders($_SESSION['user_id'], $page_num, $page_num * ($page - 1));
if (!empty($orders))
{
foreach ($orders as $key => $val)
{
$orders[$key]['total_fee'] = encode_output($val['total_fee']);
}
}
//$merge = get_user_merge($_SESSION['user_id']);
$smarty->assign('orders', $orders);
}
$smarty->assign('footer', get_footer());
$smarty->display('order_list.html');
exit;
}


去百度 搜索powered by ecshop
所有开通手机网站的ecshop商城 域名后加mobile/user.php?act=order_list
即可访问所有匿名购买者的订单,并可对其订单进行操作

_20140118174535.jpg


修复方案:

建议对访问者进行登录验证,非登录用户禁止访问

版权声明:转载请注明来源 Mr.Zhang@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:8

确认时间:2014-01-20 11:18

厂商回复:

非常感谢您为shopex信息安全做的贡献
我们将尽快修复
非常感谢

最新状态:

暂无