### 简要描述:
ECSHOP手机订单获取有漏洞,导致客户订单资料外泄
### 详细说明:
```
elseif ($act == 'order_list')
{
$record_count = $db->getOne("SELECT COUNT(*) FROM " .$ecs->table('order_info'). " WHERE user_id = {$_SESSION['user_id']}");
if ($record_count > 0)
{
include_once(ROOT_PATH . 'includes/lib_transaction.php');
$page_num = '10';
$page = !empty($_GET['page']) ? intval($_GET['page']) : 1;
$pages = ceil($record_count / $page_num);
if ($page <= 0)
{
$page = 1;
}
if ($pages == 0)
{
$pages = 1;
}
if ($page > $pages)
{
$page = $pages;
}
$pagebar = get_wap_pager($record_count, $page_num, $page, 'user.php?act=order_list', 'page');
$smarty->assign('pagebar' , $pagebar);
/* 订单状态 */
$_LANG['os'][OS_UNCONFIRMED] = '未确认';
$_LANG['os'][OS_CONFIRMED] = '已确认';
$_LANG['os'][OS_SPLITED] = '已确认';
$_LANG['os'][OS_SPLITING_PART] = '已确认';
$_LANG['os'][OS_CANCELED] = '已取消';
$_LANG['os'][OS_INVALID] = '无效';
$_LANG['os'][OS_RETURNED] = '退货';
$_LANG['ss'][SS_UNSHIPPED] = '未发货';
$_LANG['ss'][SS_PREPARING] = '配货中';
$_LANG['ss'][SS_SHIPPED] = '已发货';
$_LANG['ss'][SS_RECEIVED] = '收货确认';
$_LANG['ss'][SS_SHIPPED_PART] = '已发货(部分商品)';
$_LANG['ss'][SS_SHIPPED_ING] = '配货中'; // 已分单
$_LANG['ps'][PS_UNPAYED] = '未付款';
$_LANG['ps'][PS_PAYING] = '付款中';
$_LANG['ps'][PS_PAYED] = '已付款';
$_LANG['cancel'] = '取消订单';
$_LANG['pay_money'] = '付款';
$_LANG['view_order'] = '查看订单';
$_LANG['received'] = '确认收货';
$_LANG['ss_received'] = '已完成';
$_LANG['confirm_received'] = '你确认已经收到货物了吗?';
$_LANG['confirm_cancel'] = '您确认要取消该订单吗?取消后此订单将视为无效订单';
$orders = get_user_orders($_SESSION['user_id'], $page_num, $page_num * ($page - 1));
if (!empty($orders))
{
foreach ($orders as $key => $val)
{
$orders[$key]['total_fee'] = encode_output($val['total_fee']);
}
}
//$merge = get_user_merge($_SESSION['user_id']);
$smarty->assign('orders', $orders);
}
$smarty->assign('footer', get_footer());
$smarty->display('order_list.html');
exit;
}
```
没有对访问这个页面的用户进行过滤,直接可以输出所有查询出来的值
甚至可以对订单进行操作
### 漏洞证明:
```
elseif ($act == 'order_list')
{
$record_count = $db->getOne("SELECT COUNT(*) FROM " .$ecs->table('order_info'). " WHERE user_id = {$_SESSION['user_id']}");
if ($record_count > 0)
{
include_once(ROOT_PATH . 'includes/lib_transaction.php');
$page_num = '10';
$page = !empty($_GET['page']) ? intval($_GET['page']) : 1;
$pages = ceil($record_count / $page_num);
if ($page <= 0)
{
$page = 1;
}
if ($pages == 0)
{
$pages = 1;
}
if ($page > $pages)
{
$page = $pages;
}
$pagebar = get_wap_pager($record_count, $page_num, $page, 'user.php?act=order_list', 'page');
$smarty->assign('pagebar' , $pagebar);
/* 订单状态 */
$_LANG['os'][OS_UNCONFIRMED] = '未确认';
$_LANG['os'][OS_CONFIRMED] = '已确认';
$_LANG['os'][OS_SPLITED] = '已确认';
$_LANG['os'][OS_SPLITING_PART] = '已确认';
$_LANG['os'][OS_CANCELED] = '已取消';
$_LANG['os'][OS_INVALID] = '无效';
$_LANG['os'][OS_RETURNED] = '退货';
$_LANG['ss'][SS_UNSHIPPED] = '未发货';
$_LANG['ss'][SS_PREPARING] = '配货中';
$_LANG['ss'][SS_SHIPPED] = '已发货';
$_LANG['ss'][SS_RECEIVED] = '收货确认';
$_LANG['ss'][SS_SHIPPED_PART] = '已发货(部分商品)';
$_LANG['ss'][SS_SHIPPED_ING] = '配货中'; // 已分单
$_LANG['ps'][PS_UNPAYED] = '未付款';
$_LANG['ps'][PS_PAYING] = '付款中';
$_LANG['ps'][PS_PAYED] = '已付款';
$_LANG['cancel'] = '取消订单';
$_LANG['pay_money'] = '付款';
$_LANG['view_order'] = '查看订单';
$_LANG['received'] = '确认收货';
$_LANG['ss_received'] = '已完成';
$_LANG['confirm_received'] = '你确认已经收到货物了吗?';
$_LANG['confirm_cancel'] = '您确认要取消该订单吗?取消后此订单将视为无效订单';
$orders = get_user_orders($_SESSION['user_id'], $page_num, $page_num * ($page - 1));
if (!empty($orders))
{
foreach ($orders as $key => $val)
{
$orders[$key]['total_fee'] = encode_output($val['total_fee']);
}
}
//$merge = get_user_merge($_SESSION['user_id']);
$smarty->assign('orders', $orders);
}
$smarty->assign('footer', get_footer());
$smarty->display('order_list.html');
exit;
}
```
去百度 搜索powered by ecshop
所有开通手机网站的ecshop商城 域名后加mobile/user.php?act=order_list
即可访问所有匿名购买者的订单,并可对其订单进行操作
[<img src="https://images.seebug.org/upload/201401/1817455717aaf5949592d46b76e5c7ff4616184a.jpg" alt="_20140118174535.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201401/1817455717aaf5949592d46b76e5c7ff4616184a.jpg)
暂无评论