doyocms平行权限问题之泄露订单

2015-03-10T00:00:00
ID SSV:95548
Type seebug
Reporter Root
Modified 2015-03-10T00:00:00

Description

简要描述:

doyocms平行权限问题之泄露订单

详细说明:

订单越权查看漏洞 出现问题的代码位于source/member.php处 function myorder(){ if($this->syArgs('oid')||$this->syArgs('orderid',1)!=''){ if($this->syArgs('oid')){$r=array('id'=>$this->syArgs('oid'));}else{$r=array('orderid'=>$this->syArgs('orderid',1));} $this->order=syDB('order')->find($r); if($this->order['state']>0&&$this->order['virtual']==1)$this->virtuals=syDB('product_virtual')->findAll(array('oid'=>$this->order['id'],'state'=>1)); $this->goods=order_goods(unserialize($this->order['goods']),$this->order['logistics']); $this->info=unserialize($this->order['info']); $this->sendgoods=unserialize($this->order['sendgoods']); $total=0; foreach($this->goods[0] as $v){ $total=calculate($total,$v['total']); $total=calculate($total,$v['logistics_price']); } $this->aggregate=calculate($total, $this->order['favorable'],2); $this->display("member/myorderinfo.html"); }else{ $c=syClass('c_order'); $total_page=total_page($GLOBALS['G_DY']['db']['prefix'].'order where uid='.$this->my['id']); $this->lists=$c->syPager($this->syArgs('page',0,1),10,$total_page)->findAll(array('uid'=>$this->my['id']),' addtime desc '); $c_page=$c->syPager()->getPager(); $this->pages=pagetxt($c_page,$GLOBALS['G_DY']['url']["url_path_base"].'?c=member&a=myorder'); $this->display("member/myorder.html"); } }

<img src="https://images.seebug.org/upload/201503/08113333674c9e7816fc7a2e8a8021c66af86317.png" alt="1.png" width="600" onerror="javascript:errimg(this);">

这段代码用于查看用户的订单信息 254,255,256行是关键点 但是用于查询订单信息的条件却过于简单,直接导致通过修改URL参数查看其它用户的订单信息。 验证,我注册两个用户sss 和zzz 使用系统管理员给两人注入一些钱(模拟用户)各买东西形成订单

<img src="https://images.seebug.org/upload/201503/081134086d4acd3aaa3f36c77a0e4a86cc495f35.png" alt="2.png" width="600" onerror="javascript:errimg(this);">

<img src="https://images.seebug.org/upload/201503/0811345527d3b2e17270d087162be1220280149f.png" alt="3.png" width="600" onerror="javascript:errimg(this);">

在zzz用户页面修改oid可以看到

<img src="https://images.seebug.org/upload/201503/081135354ce79cd89a06f42b11a57f00febbb802.png" alt="4.png" width="600" onerror="javascript:errimg(this);">

他果然看到了sss购买的商品以及下面的订货信息

<img src="https://images.seebug.org/upload/201503/08113612995cce3fe20186235e585d2b75cf8c46.png" alt="5.png" width="600" onerror="javascript:errimg(this);">

漏洞证明:

我注册两个用户sss 和zzz 使用系统管理员给两人注入一些钱(模拟用户)各买东西形成订单

<img src="https://images.seebug.org/upload/201503/081134086d4acd3aaa3f36c77a0e4a86cc495f35.png" alt="2.png" width="600" onerror="javascript:errimg(this);">

<img src="https://images.seebug.org/upload/201503/0811345527d3b2e17270d087162be1220280149f.png" alt="3.png" width="600" onerror="javascript:errimg(this);">

在zzz用户页面修改oid可以看到

<img src="https://images.seebug.org/upload/201503/081135354ce79cd89a06f42b11a57f00febbb802.png" alt="4.png" width="600" onerror="javascript:errimg(this);">

他果然看到了sss购买的商品以及下面的订货信息

<img src="https://images.seebug.org/upload/201503/08113612995cce3fe20186235e585d2b75cf8c46.png" alt="5.png" width="600" onerror="javascript:errimg(this);">