-------------------------------------------------------------------
■脆弱性の種類
-------------------------------------------------------------------
クロスサイトリクエストフォージェリの脆弱性

-------------------------------------------------------------------
■不具合が存在するEC-CUBEのバージョン
-------------------------------------------------------------------
EC-CUBE　2.11.0 以降
	 2.11.0
	 2.11.1
	 2.11.2
	 2.11.3
	 2.11.4
	 2.11.5
	 2.12.0
	 2.12.1
	 2.12.2
	 2.12.3
	 2.12.3en.p1
	 2.12.3en.p2
	 2.12.4
	 2.12.4en
	 2.12.5
	 2.12.5en
	 2.12.6
	 2.12.6en
	 2.13.0
	 
-------------------------------------------------------------------
■修正方法について
-------------------------------------------------------------------

/data/class/pages/mypage/LC_Page_Mypage_Refusal.php::action
/data/Smarty/templates/default/mypage/refusal_confirm.tpl
/data/Smarty/templates/mobile/mypage/refusal.tpl
/data/Smarty/templates/sphone/mypage/refusal_confirm.tpl
に以下の変更を加えます。

▽LC_Page_Mypage_Refusal.php
64行目付近
-----------------------------------------------------------------------------------------------------------------
 変更前
-----------------------------------------------------------------------------------------------------------------
switch ($this->getMode()) {
    case 'confirm':
        $this->tpl_mainpage     = 'mypage/refusal_confirm.tpl';
        $this->tpl_subtitle     = '退会手続き(確認ページ)';
        break;

    case 'complete':
        $objCustomer = new SC_Customer_Ex();
        $this->lfDeleteCustomer($objCustomer->getValue('customer_id'));
        $objCustomer->EndSession();

        SC_Response_Ex::sendRedirect('refusal_complete.php');

    default:
        break;
}
-------------------------------------------------------------------

-------------------------------------------------------------------
 変更後
-------------------------------------------------------------------
switch ($this->getMode()) {
    case 'confirm':
       // トークンを設定
       $this->refusal_transactionid = $this->getRefusalToken();

        $this->tpl_mainpage     = 'mypage/refusal_confirm.tpl';
        $this->tpl_subtitle     = '退会手続き(確認ページ)';
        break;

    case 'complete':
       // トークン入力チェック
       if(!$this->isValidRefusalToken()) {
           // エラー画面へ遷移する
           SC_Utils_Ex::sfDispSiteError(PAGE_ERROR, '', true);
           SC_Response_Ex::actionExit();
       }

        $objCustomer = new SC_Customer_Ex();
        $this->lfDeleteCustomer($objCustomer->getValue('customer_id'));
        $objCustomer->EndSession();

        SC_Response_Ex::sendRedirect('refusal_complete.php');

    default:
       if (SC_Display_Ex::detectDevice() == DEVICE_TYPE_MOBILE) {
           $this->refusal_transactionid = $this->getRefusalToken();
       }
        break;
}
-------------------------------------------------------------------

▽LC_Page_Mypage_Refusal.php
95行目付近
-------------------------------------------------------------------
 変更前
-------------------------------------------------------------------
/**
 * 会員情報を削除する
 *
 * @access private
 * @return void
 */
public function lfDeleteCustomer($customer_id)
{
    return SC_Helper_Customer_Ex::delete($customer_id);
}

-------------------------------------------------------------------
 変更後
-------------------------------------------------------------------
/**
 * 会員情報を削除する
 *
 * @access private
 * @return void
 */
public function lfDeleteCustomer($customer_id)
{
    return SC_Helper_Customer_Ex::delete($customer_id);
}

/**
 * トランザクショントークンを取得する
 *
 * @return string
 */
function getRefusalToken() {
    if (empty($_SESSION['refusal_transactionid'])) {
        $_SESSION['refusal_transactionid'] = SC_Helper_Session_Ex::createToken();
    }
    return $_SESSION['refusal_transactionid'];
}

/**
 * トランザクショントークンのチェックを行う
 */
function isValidRefusalToken() {
    if(empty($_POST['refusal_transactionid'])) {
        $ret = false;
    } else {
        $ret = $_POST['refusal_transactionid'] === $_SESSION['refusal_transactionid'];
    }

    return $ret;
}

/**
 * トランザクショントークを破棄する
 */
function destroyRefusalToken() {
    unset($_SESSION['refusal_transactionid']);
}
-------------------------------------------------------------------

▽default/mypage/refusal_confirm.tpl
28行目付近
-------------------------------------------------------------------
 変更前
-------------------------------------------------------------------
<form name="form1" method="post" action="?">
    <input type="hidden" name="<!--{$smarty.const.TRANSACTION_ID_NAME}-->" value="<!--{$transactionid}-->" />
    <input type="hidden" name="mode" value="complete" />

-------------------------------------------------------------------
 変更後
-------------------------------------------------------------------
<form name="form1" method="post" action="?">
    <input type="hidden" name="<!--{$smarty.const.TRANSACTION_ID_NAME}-->" value="<!--{$transactionid}-->" />
    <input type="hidden" name="refusal_transactionid" value="<!--{$refusal_transactionid}-->" />
    <input type="hidden" name="mode" value="complete" />
-------------------------------------------------------------------

▽mobile/mypage/refusal.tpl
30行目付近
-------------------------------------------------------------------
 変更前
-------------------------------------------------------------------
<form action="?" method="post">
    <input type="hidden" name="mode" value="complete">
    <input type="hidden" name="<!--{$smarty.const.TRANSACTION_ID_NAME}-->" value="<!--{$transactionid}-->">

-------------------------------------------------------------------
 変更後
-------------------------------------------------------------------
<form action="?" method="post">
    <input type="hidden" name="mode" value="complete">
    <input type="hidden" name="refusal_transactionid" value="<!--{$refusal_transactionid}-->" />
    <input type="hidden" name="<!--{$smarty.const.TRANSACTION_ID_NAME}-->" value="<!--{$transactionid}-->">
-------------------------------------------------------------------

▽sphone/mypage/refusal_confirm.tpl
28行目付近
-------------------------------------------------------------------
 変更前
-------------------------------------------------------------------
<form name="form1" method="post" action="<!--{$smarty.const.HTTPS_URL}-->mypage/refusal.php">
    <input type="hidden" name="<!--{$smarty.const.TRANSACTION_ID_NAME}-->" value="<!--{$transactionid}-->" />
    <input type="hidden" name="mode" value="complete" />

-------------------------------------------------------------------
 変更後
-------------------------------------------------------------------
<form name="form1" method="post" action="<!--{$smarty.const.HTTPS_URL}-->mypage/refusal.php">
    <input type="hidden" name="<!--{$smarty.const.TRANSACTION_ID_NAME}-->" value="<!--{$transactionid}-->" />
    <input type="hidden" name="refusal_transactionid" value="<!--{$refusal_transactionid}-->" />
    <input type="hidden" name="mode" value="complete" />

=================================================================================================================

下記のリビジョンで修正
http://svn.ec-cube.net/open_trac/changeset/23277