ShopEx shipping address can be viewed, modified, and deleted at will

After a common member logs on to the website, a malicious URL can be used to view, modify, and delete the shipping address of the entire website. This may cause leakage of user sensitive privacy and unnecessary losses to the website. Detailed Description: core/shop/controller/ctl. member. PHP file // modify the shipping address function modifyReceiver ($ addrId) {$ oMem = & $ this-> system-> loadModel ('Member/member '); if ($ aRet = $ oMem-> getAddrById ($ addrId) {$ aRet ['defopt'] = array ('0' =>__ ('no '), '1' = >__ ('yes'); $ this-> pagedata = $ aRet;} else {$ this-> system-> error (404); exit ;} $ this-> _ output ();} function saveRec () {$ this-> begin ($ this-> system-> mkUrl ('member', 'modifyreceiver', ar Ray ($ _ POST ['addr _ id']); $ oMem = & $ this-> system-> loadModel ('Member/member '); if ($ oMem-> saveRec ($ _ POST, $ this-> member ['Member _ id'], $ message) {$ this-> redirect ('member ', 'cancer');} trigger_error ($ message, E_USER_ERROR); $ this-> end (false ,__ ('modification failed '), $ this-> system-> mkUrl ('member', 'modifycycler', array ($ _ POST ['addr _ id']);} // Delete the shipping address function delRec ($ addrId) {$ oMem = & $ this-> system-> loadModel ('memb Er/member '); if ($ oMem-> delRec ($ addrId) {$ this-> redirect ('member', 'receiver ');} $ this-> _ output ();} the above three functions did not judge the user ID of the modified address, resulting in user information leakage and security risks. Vulnerability proof: open any shopex4.85 website. After a registered member logs on, modify the ID attribute /? The member-21-modifyReceiver.html can display and modify the addresses of other users /? Member-21-delRec.html can delete address fixes for other users: function add judgment on User ID // modify shipping address function modifyReceiver ($ addrId) {$ oMem = & $ this-> system-> loadModel ('Member/member'); if ($ aRet = $ oMem-> getAddrById ($ addrId )) {if ($ aRet ['Member _ id']! = $ This-> member ['Member _ id']) {$ this-> system-> error (404); exit ;} else {$ aRet ['defopt'] = array ('0' = >__ ('no'), '1' = >__ ('yes ')); $ this-> pagedata = $ aRet ;}} else {$ this-> system-> error (404); exit ;}$ this-> _ output ();} function saveRec () {$ this-> begin ($ this-> system-> mkUrl ('member', 'modifyreceiver ', array ($ _ POST ['addr _ id']); $ oMem = & $ this-> system-> loadModel ('Member/member '); foreach ($ _ POST as $ ke => $ ve) {$ _ POS T [$ ke] = strip_tags ($ ve);} if ($ aRet = $ oMem-> getAddrById ($ _ POST ['addr _ id']) {if ($ aRet ['Member _ id']! = $ This-> member ['Member _ id']) {$ this-> system-> error (404); exit ;}} if ($ oMem-> saveRec ($ _ POST, $ this-> member ['Member _ id'], $ message) {$ this-> redirect ('member ', 'cancer');} trigger_error ($ message, E_USER_ERROR); $ this-> end (false ,__ ('modification failed '), $ this-> system-> mkUrl ('member', 'modifycycler', array ($ _ POST ['addr _ id']);} // Delete the shipping address www.2cto.com function delRec ($ addrId) {$ oMem = & $ this-> system-> loadModel ('Member /Member '); if ($ aRet = $ oMem-> getAddrById ($ _ POST ['addr _ id']) {if ($ aRet ['Member _ id']! = $ This-> member ['Member _ id']) {$ this-> system-> error (404); exit ;}} if ($ oMem-> delRec ($ addrId) {$ this-> redirect ('member', 'Referer') ;}$ this-> _ output ();}