[原文]orderdetails.aspx, as made available to Microsoft .NET developers as example code and demonstrated on www.ibuyspystore.com, allows remote attackers to view the orders of other users by modifying the OrderID parameter.
Microsoft .NET orderdetails.aspx OrderID Parameter Arbitrary Order Access
Remote / Network Access
Loss of Confidentiality
ibuyspystore.com contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered by a lack of authorization when viewing existing orders, which will disclose order information resulting in a loss of confidentiality.
Do not view and copy this code for any software projects.