JJDD. COM to bypass permission verification any comment-vulnerability warning-the black bar safety net

2012-08-21T00:00:00
ID MYHACK58:62201234642
Type myhack58
Reporter 佚名
Modified 2012-08-21T00:00:00

Description

http://jjdd.com/ for the heat of the people you want to reply to a comment, etc. are in need of red beans, and red beans to purchase.

Now you can directly use this interface to bypass the front Desk permission to verify http://www.jjdd.com/comment/add_comment?uid={uid}&ouid={ouid}&relate_uid=&reply_comment_id=&source_id=3&source_type=3&status=1&content=test&pay_card=0

{uid}: the sender's user ID {ouid}: receiving information of user ID {source_type}: the type of information that is currently known to have 1 is album; 2 is a personal to talk about; 3 is a small interview {source_id}: information type corresponding to the Object ID by viewing the html source code can know to reply to the corresponding ID is how many)

Through the above DEMO address, the parameter corresponding to the fill can be any message reply. And the user ID can be any fill in, not limited to only the current logged-in user.

Repair solutions: In this interface to verify the permissions of the author