Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

用户信息更新存在横向越权 #76

Closed
BACMiao opened this issue Oct 28, 2022 · 1 comment
Closed

用户信息更新存在横向越权 #76

BACMiao opened this issue Oct 28, 2022 · 1 comment

Comments

@BACMiao
Copy link

BACMiao commented Oct 28, 2022

您好,我们对您的项目源码进行分析,发现在用户信息更新模块内存在的横向越权的情况,可以通过修改请求中的userId使得不需要密码验证的情况下直接登陆别的用户。

相关版本:

1f2c2dfy 提交版本(10月28日)

横向越权行为源码位置:

ltd.newbee.mall.controller.mall.PersonalController下的updateInfo函数
image

ltd.newbee.mall.service.impl.NewBeeMallUserServiceImpl下的updateUserInfo函数
image

由于mallUser.getUserId是用户可控的,并且逻辑上缺少校验机制,因此在红色方框标记的地方存在横向越权的行为,可以通过修改用户的Id获取直接使用别的用户登陆。

横向越权漏洞复现:

使用工具为BurpSuite

  1. 登陆账户:测试用户3,该用户的订单为空:
    image

image

  1. 修改个人信息并提交:
    image

  2. 使用BurpSuite拦截该请求并篡改userId后发送该请求:
    image

  3. 现在用户:十三,不需要用户登陆验证,直接可以冒用别的用户身份和修改相关信息和订单:
    image
    image

@ZHENFENG13
Copy link
Collaborator

收到,近期会处理掉。

ZHENFENG13 added a commit that referenced this issue Nov 3, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants