当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(12) 关注此漏洞

缺陷编号: WooYun-2014-49250

漏洞标题: ECSHOP手机订单程序漏洞能获取大量用户信息

相关厂商: ShopEx

漏洞作者: Mr.Zhang

提交时间: 2014-01-18 20:11

公开时间: 2014-04-18 20:11

漏洞类型: 重要资料/文档外泄

危害等级: 中

自评Rank: 6

漏洞状态: 厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 help@wooyun.org

Tags标签: 前台订单漏洞

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-01-18: 细节已通知厂商并且等待厂商处理中
2014-01-20: 厂商已经确认,细节仅向厂商公开
2014-01-23: 细节向第三方安全合作伙伴开放(绿盟科技唐朝安全巡航无声信息
2014-03-16: 细节向核心白帽子及相关领域专家公开
2014-03-26: 细节向普通白帽子公开
2014-04-05: 细节向实习白帽子公开
2014-04-18: 细节向公众公开

简要描述:

ECSHOP手机订单获取有漏洞,导致客户订单资料外泄

详细说明:

code 区域
elseif ($act == 'order_list')


{


    $record_count = $db->getOne("SELECT COUNT(*) FROM " .$ecs->table('order_info'). " WHERE user_id = {$_SESSION['user_id']}");


    if ($record_count > 0)


    {


        include_once(ROOT_PATH . 'includes/lib_transaction.php');


        $page_num = '10';


        $page = !empty($_GET['page']) ? intval($_GET['page']) : 1;


        $pages = ceil($record_count / $page_num);





        if ($page <= 0)


        {


            $page = 1;


        }


        if ($pages == 0)


        {


            $pages = 1;


        }


        if ($page > $pages)


        {


            $page = $pages;


        }


        $pagebar = get_wap_pager($record_count, $page_num, $page, 'user.php?act=order_list', 'page');


        $smarty->assign('pagebar' , $pagebar);


        /* 订单状态 */


        $_LANG['os'][OS_UNCONFIRMED] = '未确认';


        $_LANG['os'][OS_CONFIRMED] = '已确认';


        $_LANG['os'][OS_SPLITED] = '已确认';


        $_LANG['os'][OS_SPLITING_PART] = '已确认';


        $_LANG['os'][OS_CANCELED] = '已取消';


        $_LANG['os'][OS_INVALID] = '无效';


        $_LANG['os'][OS_RETURNED] = '退货';





        $_LANG['ss'][SS_UNSHIPPED] = '未发货';


        $_LANG['ss'][SS_PREPARING] = '配货中';


        $_LANG['ss'][SS_SHIPPED] = '已发货';


        $_LANG['ss'][SS_RECEIVED] = '收货确认';


        $_LANG['ss'][SS_SHIPPED_PART] = '已发货(部分商品)';


        $_LANG['ss'][SS_SHIPPED_ING] = '配货中'; // 已分单





        $_LANG['ps'][PS_UNPAYED] = '未付款';


        $_LANG['ps'][PS_PAYING] = '付款中';


        $_LANG['ps'][PS_PAYED] = '已付款';


        $_LANG['cancel'] = '取消订单';


        $_LANG['pay_money'] = '付款';


        $_LANG['view_order'] = '查看订单';


        $_LANG['received'] = '确认收货';


        $_LANG['ss_received'] = '已完成';


        $_LANG['confirm_received'] = '你确认已经收到货物了吗?';


        $_LANG['confirm_cancel'] = '您确认要取消该订单吗?取消后此订单将视为无效订单';





        $orders = get_user_orders($_SESSION['user_id'], $page_num, $page_num * ($page - 1));


        if (!empty($orders))


        {


            foreach ($orders as $key => $val)


            {


                $orders[$key]['total_fee'] = encode_output($val['total_fee']);


            }


        }


        //$merge  = get_user_merge($_SESSION['user_id']);





        $smarty->assign('orders', $orders);


    }


    $smarty->assign('footer', get_footer());


    $smarty->display('order_list.html');


    exit;


}



没有对访问这个页面的用户进行过滤,直接可以输出所有查询出来的值

甚至可以对订单进行操作

漏洞证明:

code 区域
elseif ($act == 'order_list')


{


    $record_count = $db->getOne("SELECT COUNT(*) FROM " .$ecs->table('order_info'). " WHERE user_id = {$_SESSION['user_id']}");


    if ($record_count > 0)


    {


        include_once(ROOT_PATH . 'includes/lib_transaction.php');


        $page_num = '10';


        $page = !empty($_GET['page']) ? intval($_GET['page']) : 1;


        $pages = ceil($record_count / $page_num);





        if ($page <= 0)


        {


            $page = 1;


        }


        if ($pages == 0)


        {


            $pages = 1;


        }


        if ($page > $pages)


        {


            $page = $pages;


        }


        $pagebar = get_wap_pager($record_count, $page_num, $page, 'user.php?act=order_list', 'page');


        $smarty->assign('pagebar' , $pagebar);


        /* 订单状态 */


        $_LANG['os'][OS_UNCONFIRMED] = '未确认';


        $_LANG['os'][OS_CONFIRMED] = '已确认';


        $_LANG['os'][OS_SPLITED] = '已确认';


        $_LANG['os'][OS_SPLITING_PART] = '已确认';


        $_LANG['os'][OS_CANCELED] = '已取消';


        $_LANG['os'][OS_INVALID] = '无效';


        $_LANG['os'][OS_RETURNED] = '退货';





        $_LANG['ss'][SS_UNSHIPPED] = '未发货';


        $_LANG['ss'][SS_PREPARING] = '配货中';


        $_LANG['ss'][SS_SHIPPED] = '已发货';


        $_LANG['ss'][SS_RECEIVED] = '收货确认';


        $_LANG['ss'][SS_SHIPPED_PART] = '已发货(部分商品)';


        $_LANG['ss'][SS_SHIPPED_ING] = '配货中'; // 已分单





        $_LANG['ps'][PS_UNPAYED] = '未付款';


        $_LANG['ps'][PS_PAYING] = '付款中';


        $_LANG['ps'][PS_PAYED] = '已付款';


        $_LANG['cancel'] = '取消订单';


        $_LANG['pay_money'] = '付款';


        $_LANG['view_order'] = '查看订单';


        $_LANG['received'] = '确认收货';


        $_LANG['ss_received'] = '已完成';


        $_LANG['confirm_received'] = '你确认已经收到货物了吗?';


        $_LANG['confirm_cancel'] = '您确认要取消该订单吗?取消后此订单将视为无效订单';





        $orders = get_user_orders($_SESSION['user_id'], $page_num, $page_num * ($page - 1));


        if (!empty($orders))


        {


            foreach ($orders as $key => $val)


            {


                $orders[$key]['total_fee'] = encode_output($val['total_fee']);


            }


        }


        //$merge  = get_user_merge($_SESSION['user_id']);





        $smarty->assign('orders', $orders);


    }


    $smarty->assign('footer', get_footer());


    $smarty->display('order_list.html');


    exit;


}



去百度 搜索powered by ecshop

所有开通手机网站的ecshop商城 域名后加mobile/user.php?act=order_list

即可访问所有匿名购买者的订单,并可对其订单进行操作



_20140118174535.jpg



修复方案:

建议对访问者进行登录验证,非登录用户禁止访问

版权声明:转载请注明来源 Mr.Zhang@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:8

确认时间:2014-01-20 11:18

厂商回复:

非常感谢您为shopex信息安全做的贡献
我们将尽快修复
非常感谢

最新状态:

暂无

漏洞评价:

对本漏洞信息进行评价,以更好的反馈信息的价值,包括信息客观性,内容是否完整以及是否具备学习价值

漏洞评价(共0人评价):
登陆后才能进行评分

评价

登录后才能发表评论,请先 登录