If the order for the mobile phone version is leaked, the unauthorized permission can be canceled.
Order Information is leaked without directly disclosing user information
Cancelling others' orders
Order ID can be traversed, full-site access ......
Low vulnerability impact
We found that the mobile edition and the computer edition use the same database
You can cancel the whole site
I'm sorry for the canceled orders ......
Register first, and then log on to the mobile phone version rent-out.
Select two good cars, just a little better.
Certification materials
Order takes effect, view your order information
Take a closer look at the Order ID
My order number is 1434. You can change the value to 1425 and view the order of another person.
Someone else's information is displayed.
Check the order status: To be confirmed.
Now let's make a comparison ......
The link to cancel: http://m.zuyaya.com/update_order_status.action? OrderId = 1435
Change the ID to 1425
Http://m.zuyaya.com/update_order_status.action? OrderId = 1425
And then access it in the address bar.
It's really beyond the authority ......
@ Tiexiao huochexia: There is no 15 Rank for two taxi networks to traverse beyond the authority?
Low vulnerability impact
We found that the mobile edition and the computer edition use the same database
You can cancel the whole site
Solution:
Add permission Control
Order ID hiding or encryption