Dangdang design defects cause user data leakage and repair solutions

 

Brief description:

An improper design, not too detailed, is too easy to find, and may lead to leakage of all users' names, contact information, addresses, etc.

Detailed description:

After Login

Http://account.dangdang.com/payhistory/myaddress.aspx? Addr_id = 10000 & cid = 1 & op = bindselected

Use addr_id = in the URL above fuzz to get all the recipient addresses.

Proof of vulnerability:

Sensitive information is replaced *.

 

{'Addr _ detail': '(Home Address) xianlie East horizontal **************** room', 'city _ id ': '5', 'country _ id': '000000', 'cust _ address_id ': '000000', 'cust _ id': '000000', 'errorcode': 0, 'vince _ id': '123', 'ship _ man': 'xie Chu * ', 'ship _ m': '1970 *******', 'ship _ tel ': '020-37245661', 'ship _ zip ': '000000', 'status':'-1', 'statuscode': 0, 'town _ id ':''}

 

{'Addr _ detail ':' (Home address), room *, 'city _ id ': '1', 'country _ id': '000000', 'cust _ address_id ': '000000', 'cust _ id': '000000', 'errorcode': 0, 'vince _ id': '123', 'ship _ man ':' Should * ', 'ship _ mb': '', 'ship _ tel ': '010-817 ******** ', 'ship _ zip': '000000', 'status': '2', 'statuscode': 0, 'town _ id ':''}

Solution:

1. The requested user determines whether the addr_id is owned by the current user.

2. Audit SQL statements to avoid horizontal unauthorized access

 

Www.2cto.com added: Dangdang has announced that it has fixed the issue.

From: Beijing keyou mission @ wooyun