当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-086324

漏洞标题:中国南方电网某平台数据库未授权访问(泄露用户信息)

相关厂商:中国南方电网

漏洞作者: 龍 、

提交时间:2014-12-08 09:36

修复时间:2015-01-22 09:38

公开时间:2015-01-22 09:38

漏洞类型:未授权访问/权限绕过

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(广东省信息安全测评中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-12-08: 细节已通知厂商并且等待厂商处理中
2014-12-08: 厂商已经确认,细节仅向厂商公开
2014-12-18: 细节向核心白帽子及相关领域专家公开
2014-12-28: 细节向普通白帽子公开
2015-01-07: 细节向实习白帽子公开
2015-01-22: 细节向公众公开

简要描述:

中国南方电网某平台数据库未授权访问(泄露用户信息)

详细说明:

3.jpg


2.jpg


1.jpg


"_id" : 46,
"achievement" : "暂无",
"age" : "26岁",
"avatar" : "12da3b8db0554641912ad508fcf2ffac.png",
"character" : "热心、耐心与责任心",
"created_at" : ISODate("2014-11-12T07:51:12.63Z"),
"degree" : "本科",
"department" : "综合部",
"gender" : 0,
"height" : "160cm",
"hobby_and_skill" : "旅行、音乐、阅读",
"join_years" : "新入职",
"mail" : "chenxx@csg.cn",
"major" : "广告学",
"manifesto" : "我们的人生,随我们花费多少努力而具有多少价值。",
"name" : "陈晓欣",
"phone" : "15989011254",
"picture" : "12da3b8db0554641912ad508fcf2ffac.png",
"politics_status" : "党员",
"position" : "品牌宣传",
"university" : "广州大学",
"updated_at" : ISODate("2014-11-19T17:19:32.876Z"),
"user_ids" : [459, 475, 469, 481, 488, 493, 495, 504, 510, 511, 515, 505, 467, 532, 529, 527, 522, 534, 561, 563, 569, 589, 596, 571, 622, 625, 626, 628, 631, 634, 640, 643, 651, 658, 692, 695, 707, 723, 735, 770, 773, 787, 792, 794, 796, 801, 802, 805, 806, 816, 817, 820, 508, 832, 834, 835, 848, 852, 862, 863, 864, 880, 882, 942, 943, 963, 964],
"weight" : "47kg"
}
/* 1 */
{
"_id" : 47,
"achievement" : "主要对外合作领域,如与丹麦SE的合作",
"age" : "25岁",
"avatar" : "6fbd930b805f48f0bc9eb12793de4b5f.png",
"character" : "性格开朗直率,个性活泼好动",
"created_at" : ISODate("2014-11-12T07:51:13.387Z"),
"degree" : "本科",
"department" : "节能服务事业部",
"gender" : 0,
"height" : "161cm",
"hobby_and_skill" : "瑜伽、舞蹈",
"join_years" : "1年",
"mail" : "zhangtingyu@csg.cn",
"major" : "英语",
"manifesto" : "心怀美好,精致如你,感谢您的支持!",
"name" : "张亭玉",
"phone" : "18620851911",
"picture" : "6fbd930b805f48f0bc9eb12793de4b5f.png",
"politics_status" : "团员",
"position" : "综合管理专责",
"university" : "哈尔滨工业大学",
"updated_at" : ISODate("2014-11-19T08:37:09.698Z"),
"user_ids" : [459, 458, 457, 462, 464, 471, 475, 469, 478, 477, 481, 482, 486, 483, 492, 488, 498, 499, 502, 507, 494, 511, 513, 517, 514, 524, 500, 467, 531, 529, 527, 535, 530, 543, 548, 547, 558, 561, 572, 574, 569, 577, 578, 479, 596, 618, 625, 627, 630, 640, 650, 696, 712, 723, 732, 735, 760, 770, 773, 775, 774, 779, 787, 793, 800, 802, 805, 806, 811, 816, 817, 818, 819, 820, 825, 829, 830, 831, 832, 834, 835, 851, 855, 862, 866, 880, 881, 882, 915, 916, 930, 942, 943, 944, 947, 948, 949, 960],
"weight" : "47kg"
}
/* 2 */
{
"_id" : 35,
"achievement" : "南方电网第二届“感动人物”",
"age" : "31岁",
"avatar" : "d31f2f50a11446fe9f9c939ae9ac3bbe.png",
"character" : "乐观开朗,热情友善、有亲和力,有耐心及责任感",
"created_at" : ISODate("2014-11-12T07:51:03.89Z"),
"degree" : "硕士",
"department" : "节能服务事业部",
"gender" : 1,
"height" : "178cm",
"hobby_and_skill" : "足球",
"join_years" : "近4年",
"mail" : "zxurui@csg.cn",
"major" : "热能与动力工程",
"manifesto" : "责任感是生活和工作的源泉",
"name" : "徐睿",
"phone" : "13925092356",
"picture" : "d31f2f50a11446fe9f9c939ae9ac3bbe.png",
"politics_status" : "党员",
"position" : "分部经理",
"university" : "华南理工大学",
"updated_at" : ISODate("2014-11-18T08:12:21.648Z"),
"user_ids" : [458, 457, 464, 472, 475, 469, 478, 477, 481, 482, 488, 498, 499, 474, 495, 510, 506, 480, 511, 513, 515, 505, 514, 496, 500, 531, 529, 527, 534, 530, 547, 561, 568, 552, 572, 577, 584, 589, 596, 616, 618, 623, 625, 626, 630, 628, 634, 460, 640, 643, 651, 658, 672, 692, 696, 695, 702, 712, 732, 765, 768, 770, 773, 775, 774, 779, 781, 787, 791, 802, 805, 816, 819, 820, 832, 834, 851, 855, 858, 859, 861, 862, 863, 864, 866, 908, 913, 950],
"weight" : "80kg"
}
/* 3 */
{
"_id" : 51,
"achievement" : "暂无",
"age" : "28岁",
"avatar" : "4ca7d6a5675e4a50bb79e8a03d1cbc00.png",
"character" : "乐观自信;待人热情,有亲和力",
"created_at" : ISODate("2014-11-12T07:51:16.722Z"),
"degree" : "大专",
"department" : "风电公司",
"gender" : 0,
"height" : "168cm",
"hobby_and_skill" : "美食、运动、旅游、舞蹈",
"join_years" : "2年",
"mail" : "lihuan2@csg.cn",
"major" : "旅游管理",
"manifesto" : "上善若水,厚德载物",
"name" : "李欢",
"phone" : "18688189887",
"picture" : "4ca7d6a5675e4a50bb79e8a03d1cbc00.png",
"politics_status" : "团员",
"position" : "行政后勤",
"university" : "青岛旅游学院",
"updated_at" : ISODate("2014-11-20T02:41:50.445Z"),
"user_ids" : [477, 483, 484, 493, 503, 507, 494, 512, 516, 496, 519, 520, 521, 523, 526, 525, 528, 533, 536, 539, 542, 540, 545, 543, 549, 551, 557, 558, 559, 560, 544, 562, 565, 567, 552, 576, 580, 582, 587, 571, 608, 612, 553, 641, 642, 644, 645, 646, 647, 648, 649, 654, 656, 669, 690, 703, 708, 710, 718, 719, 720, 724, 725, 727, 730, 748, 752, 753, 755, 756, 758, 766, 767, 769, 768, 771, 782, 785, 797, 807, 809, 812, 836, 837, 838, 839, 840, 841, 842, 843, 849, 855, 857, 858, 860, 861, 912, 914, 917, 918, 919, 920, 921, 922, 923, 924, 925, 926, 927, 928, 929, 976, 977, 978, 979, 980, 981, 982, 983, 984, 985, 986, 987, 988, 989],
"weight" : "48kg"
}
/* 4 */
{
"_id" : 39,
"achievement" : "深圳市福田区既有建筑节能改造协议供应商采购项目",
"age" : "28岁",
"avatar" : "f7064acb86f24f8f9fde10aeab42a09b.png",
"character" : "乐观开朗,平易近人、有亲和力,富有耐心及责任感",
"created_at" : ISODate("2014-11-12T07:51:07.046Z"),
"degree" : "本科",
"department" : "深圳公司",
"gender" : 1,
"height" : "171cm",
"hobby_and_skill" : "运动、旅游、足球、音乐、绘画",
"join_years" : "近0.5年",
"mail" : "zhouchong@csg.cn",
"major" : "电气自动化",
"manifesto" : "一滴水只有放进大海里才永远不会干涸,一个人只有当他把自己和集体事业融合在一起的时候才能最有力量。",
"name" : "周翀",
"phone" : "18680688597",
"picture" : "f7064acb86f24f8f9fde10aeab42a09b.png",
"politics_status" : "党员",
"position" : "市场开发专责",
"university" : "佛山大学",
"updated_at" : ISODate("2014-11-20T08:08:03.801Z"),
"user_ids" : [465, 492, 484, 509, 513, 467, 529, 535, 566, 572, 609, 622, 628, 640, 651, 658, 770, 771, 773, 792, 796, 819, 858, 859, 880, 895, 903, 904, 905, 906, 907, 910, 941, 942, 943, 956, 957, 958, 960, 967, 968, 969, 970, 971, 972, 973, 974, 975, 990, 1001, 1002, 1003],
"weight" : "62.5kg"
}


漏洞证明:

3.jpg


修复方案:

版权声明:转载请注明来源 龍 、@乌云


漏洞回应

厂商回应:

危害等级:低

漏洞Rank:1

确认时间:2014-12-08 14:13

厂商回复:

请提供有效详细的漏洞信息

最新状态:

暂无