doyocms平行权限问题之泄露订单

### 简要描述： doyocms平行权限问题之泄露订单 ### 详细说明： 订单越权查看漏洞 出现问题的代码位于source/member.php处 function myorder(){ if($this->syArgs('oid')||$this->syArgs('orderid',1)!=''){ if($this->syArgs('oid')){$r=array('id'=>$this->syArgs('oid'));}else{$r=array('orderid'=>$this->syArgs('orderid',1));} $this->order=syDB('order')->find($r); if($this->order['state']>0&&$this->order['virtual']==1)$this->virtuals=syDB('product_virtual')->findAll(array('oid'=>$this->order['id'],'state'=>1)); $this->goods=order_goods(unserialize($this->order['goods']),$this->order['logistics']); $this->info=unserialize($this->order['info']); $this->sendgoods=unserialize($this->order['sendgoods']); $total=0; foreach($this->goods[0] as $v){ $total=calculate($total,$v['total']); $total=calculate($total,$v['logistics_price']); } $this->aggregate=calculate($total, $this->order['favorable'],2); $this->display("member/myorderinfo.html"); }else{ $c=syClass('c_order'); $total_page=total_page($GLOBALS['G_DY']['db']['prefix'].'order where uid='.$this->my['id']); $this->lists=$c->syPager($this->syArgs('page',0,1),10,$total_page)->findAll(array('uid'=>$this->my['id']),' addtime desc '); $c_page=$c->syPager()->getPager(); $this->pages=pagetxt($c_page,$GLOBALS['G_DY']['url']["url_path_base"].'?c=member&a=myorder'); $this->display("member/myorder.html"); } } [<img src="https://images.seebug.org/upload/201503/08113333674c9e7816fc7a2e8a8021c66af86317.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/08113333674c9e7816fc7a2e8a8021c66af86317.png) 这段代码用于查看用户的订单信息 254,255,256行是关键点 但是用于查询订单信息的条件却过于简单，直接导致通过修改URL参数查看其它用户的订单信息。 验证，我注册两个用户sss 和zzz 使用系统管理员给两人注入一些钱（模拟用户）各买东西形成订单 [<img src="https://images.seebug.org/upload/201503/081134086d4acd3aaa3f36c77a0e4a86cc495f35.png" alt="2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/081134086d4acd3aaa3f36c77a0e4a86cc495f35.png) [<img src="https://images.seebug.org/upload/201503/0811345527d3b2e17270d087162be1220280149f.png" alt="3.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/0811345527d3b2e17270d087162be1220280149f.png) 在zzz用户页面修改oid可以看到 [<img src="https://images.seebug.org/upload/201503/081135354ce79cd89a06f42b11a57f00febbb802.png" alt="4.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/081135354ce79cd89a06f42b11a57f00febbb802.png) 他果然看到了sss购买的商品以及下面的订货信息 [<img src="https://images.seebug.org/upload/201503/08113612995cce3fe20186235e585d2b75cf8c46.png" alt="5.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/08113612995cce3fe20186235e585d2b75cf8c46.png) ### 漏洞证明： 我注册两个用户sss 和zzz 使用系统管理员给两人注入一些钱（模拟用户）各买东西形成订单 [<img src="https://images.seebug.org/upload/201503/081134086d4acd3aaa3f36c77a0e4a86cc495f35.png" alt="2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/081134086d4acd3aaa3f36c77a0e4a86cc495f35.png) [<img src="https://images.seebug.org/upload/201503/0811345527d3b2e17270d087162be1220280149f.png" alt="3.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/0811345527d3b2e17270d087162be1220280149f.png) 在zzz用户页面修改oid可以看到 [<img src="https://images.seebug.org/upload/201503/081135354ce79cd89a06f42b11a57f00febbb802.png" alt="4.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/081135354ce79cd89a06f42b11a57f00febbb802.png) 他果然看到了sss购买的商品以及下面的订货信息 [<img src="https://images.seebug.org/upload/201503/08113612995cce3fe20186235e585d2b75cf8c46.png" alt="5.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/08113612995cce3fe20186235e585d2b75cf8c46.png)