漏洞详情

披露状态:

2014-09-30: 积极联系厂商并且等待厂商认领中,细节不对外公开
2014-11-14: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

国内某大型机票平台越权操作订单泄露

详细说明:

http://www.e***.net/airticket/policyOrder!details.shtml?operate=edit&ddbh=1308201407032511&type=1

1.jpg


http://www.e***.net/airticket/policyOrder!details.shtml?operate=edit&ddbh=1309300928106175&type=1
http://www.e***.net/airticket/policyOrder!details.shtml?operate=edit&ddbh=130125190937562&type=1
http://www.e***.net/airticket/reportAll/salesReportAll.jsp?cggy=2

1.jpg

漏洞证明:

如上

修复方案:

限权

标签: none

评论已关闭