The design defect of a station in the travel network of qinglv leads to a large amount of sensitive information leakage (Order/member number/name/mobile phone number/ID card number/email/address)
Qinglv Holdings Co., Ltd. (hereinafter referred to as qinglv) is a subsidiary of the central Communist Youth League directly affiliated to the Chinese Youth Travel Group Company. It was founded in November 26, 1997 by raising funds, in December 3, the company's shares were listed on the Shanghai Stock Exchange. It was the first A-share Listed Company in China's Travel Service Industry (stock code: 600138) and the first batch of 5A travel agencies in Beijing, with a total share capital of 0.41535 billion yuan.
Detailed description:
Http://erp.aoyou.com: 8060/login the station verification code design defects can cause brute force cracking of user password;
The user and password that have been cracked are as follows:
6zhangmin123456302falsefalse76718limin 123456302falsefalse76719wanglei 123456302falsefalse76731zhangyan123456302falsefalse76749liufang 123456302falsefalse76750zhangyan123456302falsefalse76754wanghui 123456302falsefalse76756chenjing123456302falsefalse76769litao 123456302falsefalse767155zhangxu 123456302falsefalse767253zhangmei123456302falsefalse767276chenchen123456302falsefalse767364liuyun 123456302falsefalse767382zhouwei 123456302falsefalse767445wanglei 123456302falsefalse767455liubing 123456302falsefalse767
Non-registered members, potential members, general members, bronze members, and gold medal members: 831042
Proof of vulnerability:
Http://erp.aoyou.com: 8060/login allows you to change the password of a member and then log on to www.aoyou.com;
Solution:
Eliminate weak passwords and redesign verification codes!