-------------------------------------------------------------------
■脆弱性の種類
-------------------------------------------------------------------
アクセス制御に関する脆弱性
-------------------------------------------------------------------
■不具合が存在するEC-CUBEのバージョン
-------------------------------------------------------------------
EC-CUBE 正式版 2.4.4 未満 (2010年6月29日公開)
-------------------------------------------------------------------
■修正方法について(以下は Ver2.4.3 からの修正点となっております。)
-------------------------------------------------------------------
data/class/pages/admin/customer/LC_Page_Admin_Customer_Edit.php
の以下のコードを変更します。
■292行目付近
-------------------------------------------------------------------
変更前
-------------------------------------------------------------------
$sql = "SELECT customer_id FROM dtb_customer WHERE email ILIKE ? escape '#'
AND (status = 1 OR status = 2) AND del_flg = 0 AND customer_id <> ?";
-------------------------------------------------------------------
-------------------------------------------------------------------
変更後
-------------------------------------------------------------------
$sql = "SELECT customer_id FROM dtb_customer WHERE (email ILIKE ? escape '#'
OR email_mobile ILIKE ? escape '#') AND (status = 1 OR status = 2) AND del_flg = 0
AND customer_id <> ?";
-------------------------------------------------------------------
■294行目付近
-------------------------------------------------------------------
変更前
-------------------------------------------------------------------
$result = $this->objConn->getAll($sql, array($checkMail, $array["customer_id"]));
-------------------------------------------------------------------
-------------------------------------------------------------------
変更後
-------------------------------------------------------------------
$result = $this->objConn->getAll($sql, array($checkMail, $checkMail, $array["customer_id"]));
-------------------------------------------------------------------
■304行目付近
-------------------------------------------------------------------
変更前
-------------------------------------------------------------------
$sql = "SELECT customer_id FROM dtb_customer WHERE email_mobile ILIKE ?
escape '#' AND (status = 1 OR status = 2) AND del_flg = 0 AND customer_id <> ?";
-------------------------------------------------------------------
-------------------------------------------------------------------
変更後
-------------------------------------------------------------------
$sql = "SELECT customer_id FROM dtb_customer WHERE (email ILIKE ? escape '#'
OR email_mobile ILIKE ? escape '#') AND (status = 1 OR status = 2) AND del_flg = 0
AND customer_id <> ?";
-------------------------------------------------------------------
■306行目付近
-------------------------------------------------------------------
変更前
-------------------------------------------------------------------
$result = $this->objConn->getAll($sql, array($checkMail, $array["customer_id"]));
-------------------------------------------------------------------
-------------------------------------------------------------------
変更後
-------------------------------------------------------------------
$result = $this->objConn->getAll($sql, array($checkMail, $checkMail, $array["customer_id"]));
-------------------------------------------------------------------
data/class/pages/entry/LC_Page_Entry.php
の以下のコードを変更します。
■733行目付近
-------------------------------------------------------------------
変更前
-------------------------------------------------------------------
$arrRet = $objQuery->select("email, update_date, del_flg", "dtb_customer","email = ?
ORDER BY del_flg", array($array["email"]));
-------------------------------------------------------------------
-------------------------------------------------------------------
変更後
-------------------------------------------------------------------
$arrRet = $objQuery->select("email, update_date, del_flg", "dtb_customer","email = ?
OR email_mobile = ? ORDER BY del_flg", array($array["email"], $array["email"]));
-------------------------------------------------------------------
data/class/pages/mypage/LC_Page_Mypage_Change.php
の以下のコードを変更します。
■447行目付近
-------------------------------------------------------------------
変更前
-------------------------------------------------------------------
"del_flg=0 AND " . $mailType . "= ?",
array($this->arrForm[$mailType]));
-------------------------------------------------------------------
-------------------------------------------------------------------
変更後
-------------------------------------------------------------------
"del_flg=0 AND (email = ? OR email_mobile = ?) ",
array($this->arrForm[$mailType], $this->arrForm[$mailType]));
-------------------------------------------------------------------
リビジョン18741で修正
http://svn.ec-cube.net/open_trac/changeset/18741
