If the order for the mobile phone version is leaked, the unauthorized permission can be canceled.

If the order for the mobile phone version is leaked, the unauthorized permission can be canceled.

Order Information is leaked without directly disclosing user information

Cancelling others' orders

Order ID can be traversed, full-site access ......

Low vulnerability impact

We found that the mobile edition and the computer edition use the same database

You can cancel the whole site

I'm sorry for the canceled orders ......



Register first, and then log on to the mobile phone version rent-out.


 

Select two good cars, just a little better.


 

Certification materials


 

Order takes effect, view your order information


 

Take a closer look at the Order ID


 

My order number is 1434. You can change the value to 1425 and view the order of another person.


 

Someone else's information is displayed.



Check the order status: To be confirmed.



Now let's make a comparison ......


 

The link to cancel: http://m.zuyaya.com/update_order_status.action? OrderId = 1435



Change the ID to 1425



Http://m.zuyaya.com/update_order_status.action? OrderId = 1425



And then access it in the address bar.



It's really beyond the authority ......


 

@ Tiexiao huochexia: There is no 15 Rank for two taxi networks to traverse beyond the authority?



Low vulnerability impact



We found that the mobile edition and the computer edition use the same database



You can cancel the whole site

Solution:

Add permission Control

Order ID hiding or encryption