康盛,这么做是不是有点过火了-2
12-24
自打上篇文章 康盛,这么做是不是有点过火了发表后,引起很多朋友讨论。有些朋友从技术上抨击了这种做法,有些朋友从商业上去理解这种做法。当然,我们是搞技术的,单纯从程序安全和数据安全上来分析一下。
老样子,后台有个get提交:
http://u.discuz.net/customer/update.php?get=a%3A16%3A%7Bs%3A7%3A%22sitekey%22%3Bs%3A16%3A%22f270e28a8b0Qv1Y8%22%3Bs%3A7%3A%22version%22%3Bs%3A3%3A%222.0%22%3Bs%3A7%3A%22release%22%3Bs%3A8%3A%2220090825%22%3Bs%3A3%3A%22php%22%3Bs%3A5%3A%225.2.6%22%3Bs%3A5%3A%22mysql%22%3Bs%3A6%3A%225.0.22%22%3Bs%3A6%3A%22dbsize%22%3Bi%3A1298163%3Bs%3A7%3A%22charset%22%3Bs%3A5%3A%22utf-8%22%3Bs%3A8%3A%22sitename%22%3Bs%3A12%3A%22%E6%88%91%E7%9A%84%E7%A9%BA%E9%97%B4%22%3Bs%3A7%3A%22feednum%22%3Bs%3A2%3A%2210%22%3Bs%3A7%3A%22blognum%22%3Bs%3A1%3A%220%22%3Bs%3A8%3A%22albumnum%22%3Bs%3A1%3A%220%22%3Bs%3A9%3A%22threadnum%22%3Bs%3A1%3A%220%22%3Bs%3A8%3A%22sharenum%22%3Bs%3A1%3A%220%22%3Bs%3A10%3A%22commentnum%22%3Bs%3A1%3A%220%22%3Bs%3A8%3A%22myappnum%22%3Bs%3A1%3A%224%22%3Bs%3A8%3A%22spacenum%22%3Bs%3A1%3A%223%22%3B%7D&h=aa380aa3
urldecode并且反序列化,得出这么一堆东西
- Array
- (
- [sitekey] => f270e28a8b0Qv1Y8
- [version] => 2.0
- [release] => 20090825
- [php] => 5.2.6
- [mysql] => 5.0.22
- [dbsize] => 1298163
- [charset] => utf-8
- [sitename] => 我的空间
- [feednum] => 10
- [blognum] => 0
- [albumnum] => 0
- [threadnum] => 0
- [sharenum] => 0
- [commentnum] => 0
- [myappnum] => 4
- [spacenum] => 3
- )
sitekey是什么?通过阅读代码,sitekey是pre_config表里一个字段,跟以下代码配合工作
- $hash = $_SCONFIG['my_siteid'].'|'.$_SGLOBAL['supe_uid'].'|'.$appid.'|'.$current_url.'|'.$extra.'|'.$timestamp.'|'.$_SCONFIG['my_sitekey'];
它跟manyou服务器配合,才有权从你的服务器上拉取你数据库中的某些信息。
其他字段,我们看字面意思基本也能知道是干啥用的。
继续运行程序,我们看当一个用户第一次安装应用的时候做了什么。
这个信息要从服务器上截取,我是根据nginx日志和程序中截取反馈信息获得的。
服务器日志:
- 124.238.249.171 - - [24/Dec/2009:20:02:40 +0800] "POST /uhome/api/my.php HTTP/1.0" 200 192 "-" "myop/1.0" "-"
manyou服务器发来post请求。post信息不会在日志里,底下是我抓取来的信息:
- [post] => Array
- (
- [module] => Users
- [method] => getInfo
- [sign] => 271ce9942c94fc4f4d39445e133105bc
- [params] => a:1:{s:4:\"uIds\";a:1:{i:0;s:1:\"3\";}}
- )
做过sns网站应用开发的应该很容易看懂底大概是什么意思。
看看我们的程序给manyou平台返回了什么信息:
- [result] => Array
- (
- [0] => Array
- (
- [uId] => 3
- [handle] => sunboyu1
- [action] =>
- [realName] =>
- [realNameChecked] =>
- [gender] => unknown
- [email] => dfafdasf@123.fdsafds
- [qq] =>
- [msn] =>
- [birthday] => 0000-00-00
- [bloodType] => unknown
- [relationshipStatus] => unknown
- [birthProvince] =>
- [birthCity] =>
- [resideProvince] =>
- [resideCity] =>
- [viewNum] => 0
- [friendNum] => 0
- [myStatus] =>
- [lastActivity] => 0
- [created] => 1261655045
- [credit] => 25
- [isUploadAvatar] =>
- [adminLevel] => none
- [homepagePrivacy] => public
- [profilePrivacyList] => Array
- (
- )
- [friendListPrivacy] => public
- )
- )
- [mode] =>
有了这些数据,我又注册了一个号码,把资料填全,看看是不是都被抓走:
- [result] => Array
- (
- [totalNum] => 0
- [friends] => Array
- (
- )
- [me] => Array
- (
- [uId] => 4
- [handle] => sunboyu2
- [action] =>
- [realName] => 一个程序猿
- [realNameChecked] => 1
- [gender] => male
- [email] => 1231231@fdsfdsa.com
- [qq] => 176300676
- [msn] => sunboyu@gmail.com
- [birthday] => 2004-02-01
- [bloodType] => B
- [relationshipStatus] => single
- [birthProvince] => 北京
- [birthCity] => 东城
- [resideProvince] => 黑龙江
- [resideCity] => 佳木斯
- [viewNum] => 0
- [friendNum] => 0
- [myStatus] =>
- [lastActivity] => 1261657227
- [created] => 1261657100
- [credit] => 40
- [isUploadAvatar] => 1
- [adminLevel] => none
- [homepagePrivacy] => friends
- [profilePrivacyList] => Array
- (
- [relationshipStatus] => friends
- [birthday] => friends
- [bloodType] => me
- [birthPlace] => public
- [residePlace] => public
- [qq] => me
- [mobile] => public
- [msn] => public
- )
- [friendListPrivacy] => me
- )
- )
- [mode] =>
- )
差不多基本资料都过去了。
这样,可以看出,康盛的服务器不断得在抓取用户的信息。这个事情是不是过火,从商业的角度,是应该很过火的。他把用户产品内的账号信息等关键东西都抓走,这些信息到他们手里,难免会交易给竞争对手。
但是,从技术上讲,康盛的manyou服务器还有个缓存的功能。如果拉取用户信息这个请求都放在网站的服务器上,我相信大多数虚拟主机的用户会不堪重负,而康盛其实为这些负载买单了。买单的结果,就是你得把用户的信息提供给康盛。就这么简单。
从程序安全上讲,你的数据库信息,尤其用户信息,在你的网站和manyou之间共享,而康盛没有拉走用户或者管理员资料,也没有发现其他信息的提取,所以,两者之间是安全的。第三方网站是无法获得这些资料的。
但从商业安全上讲,康盛的服务器是否可信?康盛是否会拿这些信息作一些站长不希望做的事情?这个只能由官方来解释了。
睡一觉,研究其他产品去。
