当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-064861

漏洞标题:阿里巴巴某处漏洞修复不完整!

相关厂商:阿里巴巴

漏洞作者: Nebula

提交时间:2014-06-14 08:50

修复时间:2014-07-29 08:52

公开时间:2014-07-29 08:52

漏洞类型:未授权访问/权限绕过

危害等级:低

自评Rank:5

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-06-14: 细节已通知厂商并且等待厂商处理中
2014-06-16: 厂商已经确认,细节仅向厂商公开
2014-06-26: 细节向核心白帽子及相关领域专家公开
2014-07-06: 细节向普通白帽子公开
2014-07-16: 细节向实习白帽子公开
2014-07-29: 细节向公众公开

简要描述:

RT!

详细说明:

正好等看世界杯比赛,顺便看看!
WooYun: 内网编织者阿里巴巴集团各业务内网来回编织!

漏洞证明:

现在是对ip访问基本都限制了,还有就是配置了内网ip数量比较多的域名:*.alibaba-inc.com也限制了!
但其他类型的url访问及权限绕过还是有不少的,这里我看了一下,大致分三种的权限绕过访问没处理(其实就是一种:公司所有域名):
1.比较多的是,配置内网ip的域名,如:
http://share.jianghu.taobao.com/share/addShare.htm?title=&url=wiki.aliyun-inc.com

1.png


1.png


2.域名配置外网ip,但外网访问有ip限制:
http://share.jianghu.taobao.com/share/addShare.htm?title=&url=bi.aliyun-inc.com

1.png


1.png


1.png


3.对页面访问有ip限制:
http://share.jianghu.taobao.com/share/addShare.htm?title=&url=gtools.alibabalabs.com/uc/index.php

1.png


1.png


然后其他信息找了一些:
http://share.jianghu.taobao.com/share/addShare.htm?title=&url=ditu.alibabalabs.com
http://share.jianghu.taobao.com/share/addShare.htm?title=&url=cacti.taobao.com
http://share.jianghu.taobao.com/share/addShare.htm?title=&url=cpgw.taobao.com
http://share.jianghu.taobao.com/share/addShare.htm?title=&url=api.ctu.taobao.com
http://share.jianghu.taobao.com/share/addShare.htm?title=&url=antispam.feedback.taobao.com
http://share.jianghu.taobao.com/share/addShare.htm?title=&url=view.lz.taobao.com
http://share.jianghu.taobao.com/share/addShare.htm?title=&url=svn.simba.taobao.com
http://share.jianghu.taobao.com/share/addShare.htm?title=&url=bugfree.corp.taobao.com
选了几个域名,字典稍微fuzzing一下(也发现不少):
*.aliyun-inc.com
l.aliyun-inc.com/10.101.168.181
t.aliyun-inc.com/10.230.230.56
ak.aliyun-inc.com/10.138.138.21
bi.aliyun-inc.com/42.120.158.161
go.aliyun-inc.com/42.120.218.191
ls.aliyun-inc.com/42.156.234.5
qa.aliyun-inc.com/10.125.8.229
abc.aliyun-inc.com/42.156.141.171
act.aliyun-inc.com/42.156.141.193
cat.aliyun-inc.com/112.124.142.2
crm.aliyun-inc.com/42.120.158.217
jwx.aliyun-inc.com/42.120.218.9
msc.aliyun-inc.com/42.120.158.213
scm.aliyun-inc.com/10.230.204.45
sla.aliyun-inc.com/42.156.141.247
sls.aliyun-inc.com/10.206.120.26
soc.aliyun-inc.com/110.75.102.152
svn.aliyun-inc.com/10.230.202.47
tms.aliyun-inc.com/10.147.208.62
umm.aliyun-inc.com/10.138.138.21
wiki.aliyun-inc.com/10.125.2.218
......
*.alipay.com
adc.alipay.com/110.75.149.119
ads.alipay.com/110.75.149.200
ars.alipay.com/110.75.149.142
bcm.alipay.com/110.75.149.21
crm.alipay.com/110.75.149.22
fbi.alipay.com/110.75.143.170
hjc.alipay.com/110.75.149.81
idb.alipay.com/110.75.149.156
kmi.alipay.com/110.75.149.38
......
*.alibaba.com
dse.alibaba.com
......
*.alisoft.com
alisoft.com/127.0.0.1(当前url页面解析所在服务器)
*.aliloan.com
x.aliloan.com/172.18.74.74
wbs.aliloan.com/42.120.158.205

1.png


修复方案:

可能限制的正则代码要加长点了(如果这个只是临时补丁或者业务需要可以承受风险,这个问题可以忽略!)

版权声明:转载请注明来源 Nebula@乌云


漏洞回应

厂商回应:

危害等级:低

漏洞Rank:3

确认时间:2014-06-16 16:47

厂商回复:

感谢您对我们的关注和支持,该漏洞我们正在修复!

最新状态:

暂无