2011-05-02: 积极联系厂商并且等待厂商认领中,细节不对外公开 2011-05-02: 厂商已经主动忽略漏洞,细节向公众公开
中国信息安全认证中心源代码泄露漏洞
http://www.isccc.gov.cn/turbosearch/search.jsp%20http://www.isccc.gov.cn/turbosearch/search.jsp%2ehttp://www.isccc.gov.cn/turbosearch/search.jsp.bak
<%@ page language="java" contentType="text/html; charset=utf-8" %><%@ page import="org.apache.lucene.analysis.*,org.apache.lucene.analysis.cn.*,org.apache.lucene.document.*,org.apache.lucene.index.*,org.apache.lucene.search.*,org.apache.lucene.search.highlight.*,org.apache.lucene.queryParser.*,com.turbosearch.plugin.htmlparser.Entities,TurboCMS.tools.*,org.apache.lucene.document.DateTools.*,com.turbosearch.action.SystemSetAction" %><%@ page import="java.text.*,java.util.*,java.io.*"%><%@ page import="com.turbosearch.tools.FileLoader"%><%@ page import="com.turbosearch.action.IndexTaskAction;"%><%!public String getContent(String url) throws Exception{ String retv=""; try{ FileLoader fl = FileLoader.getInstance(); url = Config.SiteDirectory + url; retv = fl.getContent(url); }catch(Exception e){ retv = e.getMessage(); } return(retv);}public static String GetDateString(String FieldValue) throws Exception{ String sDate=""; if(FieldValue==null||FieldValue.equals("null")) return(""); try{ sDate = sDate + FieldValue.substring(0,4) + "-"; sDate = sDate + FieldValue.substring(4,6) + "-"; sDate = sDate + FieldValue.substring(6,8) + " "; sDate = sDate + FieldValue.substring(8,10) + ":"; sDate = sDate + FieldValue.substring(10,12) + ":"; //sDate = sDate + FieldValue.substring(12,14) + ":"; }catch(Exception e){ sDate = FieldValue; } return(sDate);}public static String gDate(String dstr) throws Exception{ String sdate = ""; try{ SimpleDateFormat f = new SimpleDateFormat("yyyy-MM-dd hh:mm"); java.util.Date d = f.parse(dstr); d = Config.DateAdd(d,28800); sdate = Config.GetDateString(d).substring(0,16); }catch(Exception e){ sdate = dstr; } return(sdate);}%><%request.setCharacterEncoding("UTF-8");%><% class CachedIndex { // an entry in the cache IndexReader reader; // an open reader long modified; // reader's modified date public CachedIndex(String name) throws Exception { modified = IndexReader.lastModified(name); // get modified date reader = IndexReader.open(name); // open reader } }long t0,t1;t0 = System.currentTimeMillis(); Analyzer analyzer = new ChineseAnalyzer(); Highlighter highlighter =null; String strSummary; String catalog = ""; if(request.getParameter("catalog")==null){%><script>alert("参数错误!");window.close();</script><% }else{ catalog = request.getParameter("catalog"); } //catalog="hs3w"; if(catalog.trim().equals("")||catalog.trim().length()==0){%><script>alert("参数错误!");window.close();</script><% }else{ String catalogs[]; if(catalog.indexOf(",")>-1) catalogs = catalog.split(","); else{ catalogs = new String[] {""}; catalogs[0] = catalog; } IndexSearcher searchers[]; searchers = new IndexSearcher[catalogs.length]; SystemSetAction catalogcfg = new SystemSetAction(); for(int i=0;i<catalogs.length;i++){ String indexPath = catalogcfg.getIndexBaseDir()+"/"+catalogs[i]; CachedIndex index = new CachedIndex(indexPath); IndexReader reader = index.reader; searchers[i] = new IndexSearcher(reader); } MultiSearcher searcher = new MultiSearcher(searchers); String qtype = request.getParameter("qtype"); if(qtype==null|| qtype.trim().length()==0) qtype="contents"; String queryString = request.getParameter("query"); if (queryString == null || queryString.trim().length()==0 ){ out.print("<br><br><p align='center'>没有输入搜索条件!</p>"); return; }else if(queryString.equals("-")||queryString.equals("+")){ out.print("<br><br><p align='center'>搜索条件有错误!</p>"); return; } int start = 0; // first hit to display String startString = request.getParameter("start"); if (startString != null) start = Integer.parseInt(startString); int hitsPerPage = 20; // number of hits to display String hitsString = request.getParameter("hitsPerPage"); if (hitsString != null) hitsPerPage = Integer.parseInt(hitsString); boolean showSummaries = true; // show summaries if (request.getParameter("showSummaries")!=null&&"false".equals(request.getParameter("showSummaries"))) showSummaries = false; Query query = null; try {//多field检索 String field[] = new String[]{"","",""}; if(qtype.equals("contents")) field[0] = "contents"; if(qtype.equals("title")) field[0] = "title"; if(qtype.equals("all")){ field[0] = "contents"; field[1] = "title"; } //field[2]="channel"; query = (new MultiFieldQueryParser(field,analyzer)).parse(queryString); } catch (Exception e) { // error parsing query out.println("<br><br>处理搜索条件时出错<br>搜索条件:"); out.println(queryString); out.println("<br>------------------------------------------"); out.println(e.getMessage()); return; } //时间段检索 DateFormat df = DateFormat.getDateInstance(); String qdate ="" ; String date1 ="" ; String date2 = ""; if(request.getParameter("qdate")==null||request.getParameter("qdate").equals("")) qdate = "modified"; else qdate = request.getParameter("qdate"); if(request.getParameter("date1")==null||request.getParameter("date1").equals("")) date1 = "2000-01-09"; else date1 = request.getParameter("date1"); if(request.getParameter("date2")==null||request.getParameter("date2").equals("")) date2 = Config.GetDateString(Config.Now()).substring(0,10); else date2 = request.getParameter("date2"); Date startdate = df.parse(date1); Date enddate = df.parse(date2); Term s1 = new Term(qdate,DateTools.dateToString(Config.DateAdd("d",-1,startdate),Resolution.SECOND)); Term s2 = new Term(qdate,DateTools.dateToString(Config.DateAdd("d",1,enddate),Resolution.SECOND)); Term s3 = new Term("channel","新闻中心"); RangeQuery rangeQuery = new RangeQuery(s1, s2, true); BooleanQuery bquery = new BooleanQuery(); TermQuery tquery = new TermQuery(s3); bquery.add(query,BooleanClause.Occur.MUST); bquery.add(rangeQuery,BooleanClause.Occur.MUST); //bquery.add(tquery,BooleanClause.Occur.MUST); Hits hits; //按某一顺序排序 String qsort; qsort = request.getParameter("qsort"); if(qsort==null||qsort.equals("")) qsort="RELEVANCE"; Sort sort=null; if(qsort.equals("RELEVANCE")) sort = Sort.RELEVANCE; //使用Lucene默认的排序 //sort = Sort.INDEXORDER; //根据IndexOrder排序 //sort = new Sort("modified",true); //根据文件的更新时间排序 if(qsort.equals("modified")) sort = new Sort(new SortField[]{new SortField("modified", SortField.STRING, true)}); if(qsort.equals("pubdate")) sort = new Sort(new SortField[]{new SortField("pubdate", SortField.STRING, true)}); hits = searcher.search(bquery,sort); try{ SimpleHTMLFormatter simpleHTMLFormatter = new SimpleHTMLFormatter("<font color=#e10900>","</font>"); //SimpleHTMLFormatter simpleHTMLFormatter = new SimpleHTMLFormatter(); highlighter = new Highlighter(simpleHTMLFormatter,new QueryScorer(query)); highlighter.setTextFragmenter(new SimpleFragmenter(2000)); //highlighter.setTextFragmenter(new NullFragmenter()); }catch(Exception eee){ System.out.println(eee.getMessage()); } int tpg = (int)Math.ceil((hits.length() + hitsPerPage-1) / hitsPerPage); String pgg=request.getParameter("pg"); int pg=1; if(pgg==null||pgg.equals("")){ pg=start/10+1; }else{ pg=Integer.parseInt(pgg); if(pg>tpg) pg=tpg; if(pg<1) pg = 1; start = (pg-1)*hitsPerPage; } int end = Math.min(hits.length(), start + hitsPerPage); t1=System.currentTimeMillis();%><html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><title>中国信息安全认证中心-全文检索</title><style type="text/css">body{ font-size:14px;}td{ font-family: "宋体"; font-size: 12px; line-height: 20px; color: #000000; text-decoration: none;}</style><script language="javascript">function CheckAll(form) { for (var i=0;i<form.elements.length;i++) { var e = form.elements[i]; if (e.name.substring(0,5) !="chkall" && e.type=="checkbox" && e.name!="showSummaries"){ e.checked = document.getElementsByName("chkall")[0].checked; } }}function check(){ if(fm.query.value==""){ alert("请输入要检索的内容!"); fm.query.focus(); return(false); } function selectdate(el){ var args="font-size:10px;dialogWidth:286px;dialogHeight:290px;center:yes;status:no;help:no"; var argu=new Array(); <% Calendar cal = Calendar.getInstance(); SimpleDateFormat sdf=new SimpleDateFormat("M-d-yyyy"); %> argu[0]="<%=sdf.format(cal.getTime())%>"; var selectdate=window.showModalDialog("selectdate.htm",argu,args); if (selectdate!=null) el.value=selectdate; }</script></head><body><%//=getContent("/includes/head.html")%><table width="1002" border="0" align="center" cellpadding="0" cellspacing="0"> <tr> <td align="center" valign="top"><iframe src="http://www.isccc.gov.cn/include/top_new.html" frameborder="0" height="283" width="1002" marginwidth="0" marginheight="0" scrolling="no"></iframe></td> </tr></table><table width="1002" border="0" align="center" cellpadding="0" cellspacing="0"> <tr> <td width="776" valign="top"><table width="776" border="0" align="center" cellpadding="0" cellspacing="0"> <tr> <td height="1"></td> </tr> <tr> <td height="25"><table width="100%" border="0" cellpadding="10" cellspacing="1" bgcolor="#CCCCCC"> <tr> <td width="75" align="center" valign="middle" bgcolor="#FFFFFF"><b>站<BR>内<BR>检<BR>索<hr size="1"> ISCCC网站</b></td> <td bgcolor="#FFFFFF"><table border="0" width="100%"> <form name="fm" method="post" action="search.jsp" onSubmit="return check()"> <input type="hidden" name="catalog" value="isccc"> <input type="hidden" name="qtype" value="all"> <tr><td></td><td></td></tr><tr><td>检索范围:</td><td><select name="qtype"> <option value="contents" selected>在内容中检索 <option value="title">在标题中检索 <option value="all">在标题和内容中检索</select> <select name="qdate"> <option value="pubdate">文章发布时间 <option value="modified" selected>文章更新时间</select>从<input type="text" value="<%=date1%>" name="date1" size="12"><img src="images/calendar.gif" onClick="selectdate(date1);" style="cursor:hand" title="点击选择时间">到<input type="text" value="<%=date2%>" name="date2" size="12"><img src="images/calendar.gif" onClick="selectdate(date2);" style="cursor:hand" title="点击选择时间">之间</td></tr><tr><td>检索设置:</td><td>每页显示<input type="text" name="hitsPerPage" value="20" size="4" style="text-align:center">篇 <input type="checkbox" name="showSummaries" value="false" id="showsum"><label for="showsum" style="cursor:hand">不显示摘要</label> <select name="qsort"> <option value="pubdate" selected>按文章发布时间排序 <option value="modified">按文章更新时间排序 <option value="RELEVANCE">按相关度排序</select></td></tr><tr><td>关键字:</td><td><input type="text" name="query" size="50"> <input type="image" src="images/search.gif" value="检索" name="search"></td></tr> </form></table></td></tr></table> </td> </tr> <tr> <td height="5"></td> </tr> <tr> <td> </td> </tr> <tr> <td height="5"></td> </tr></table><!--分页开始----><table width="776" border="0" align="center" cellpadding="0" cellspacing="0"> <tr> <td height="4"></td> </tr> <tr> <td> </td> </tr> <tr> <td><table width="100%" border="0" cellpadding="0" cellspacing="1" bgcolor="#CCCCCC"> <tr> <td bgcolor="#FFFFFF"><table width="100%" border="0" cellspacing="0" cellpadding="10"> <tr> <td width="76%" valign="top"><table width="100%" border="0" cellspacing="0" cellpadding="0"> <tr><td colspan="2"> </td></tr> <% for (int i = start; i < end; i++) { // display the hits Document doc = hits.doc(i); String title = doc.get("title"); if (title.equals("")) // use url for docs w/o title title = doc.get("url"); TokenStream ts = analyzer.tokenStream("title",new StringReader(title)); String tmps = ""; try{ tmps = highlighter.getBestFragments(ts, title, 3, "..."); }catch(Exception e){ tmps = ""; } if(!tmps.equals("")) title = tmps; strSummary = doc.get("summary"); TokenStream ts2 = analyzer.tokenStream("summary",new StringReader(doc.get("summary"))); try{ tmps = highlighter.getBestFragments(ts2, doc.get("summary"), 2, "..."); //tmps = highlighter.getBestFragment(ts2, doc.get("summary")); }catch(Exception e){ //e.printStackTrace(); //System.out.println(e.getMessage()); tmps = ""; } if(!tmps.equals("")) strSummary = tmps; %> <tr> <td width="80%"><%=i+1%>.<a href="<%=doc.get("url")%>"><%=title%></a></td><td width="20%" title="(更新时间:<%=gDate(GetDateString(doc.get("modified")))%>)"><%=gDate(GetDateString(doc.get("pubdate")))%> <!--(更新时间:<%=gDate(GetDateString(doc.get("modified")))%>)--> </td> </tr> <% if(showSummaries){ %> <tr><td colspan="2"><b>摘要:</b><%=strSummary%></td></tr> <tr><td><a href="<%=doc.get("url")%>" target="_blank"><%=(doc.get("description")==null)?"":doc.get("description")%></a> </td><td align="right" class="font_hei" width="100">相关度:<% out.print((int)(hits.score(i) * 100.0f)); %>% </tr> <% } %><tr><td colspan="2" height="1" bgcolor="#EEEEEE"></td></tr><%}%><tr> <td align="center" style="font-size:12px" colspan="2"> <form name="search" method="post"> <input type="hidden" name="query" value="<%=Entities.encode(queryString)%>"> <input type="hidden" name="start" value="<%=end%>"> <input type="hidden" name="catalog" value="<%=catalog%>"> <input type="hidden" name="hitsPerPage" value="<%=hitsPerPage%>"> <input type="hidden" name="showSummaries" value="<%=showSummaries%>"> <input type="hidden" name="qsort" value="<%=qsort%>"> <input type="hidden" name="date1" value="<%=date1%>"> <input type="hidden" name="date2" value="<%=date2%>"> <input type="hidden" name="qdate" value="<%=qdate%>">总<%=hits.length()%> 篇 ,共 <%=(int)Math.ceil((hits.length() + hitsPerPage-1) / hitsPerPage)%> 页 <%if (start>0){%> <a href="#" onClick="document.search.start.value=<%=start-hitsPerPage%>;document.search.submit();" class="font_lv">上一页</a><%}else{%><font class="font_lv">上一页</font><%}%><a href="#" onClick="document.search.start.value=0;document.search.submit();">最首页</a><%//开始显示分页代码int tenp;String sUrl="";int pc=(int)Math.ceil((hits.length() + hitsPerPage -1) / hitsPerPage);tenp=(int)Math.floor((pg-1)/10);if (tenp>0) //显示上10页{%> <a href="#" onClick="document.search.pg.value=<%=((tenp-1)*10+1)%>;document.search.start.value=<%=hitsPerPage*((tenp-1)*10)%>;document.search.submit();">上10页</a> <%}else{%>上10页<%}int t=0;if ((tenp+1)*10>pc) t=pc; else t=(tenp+1)*10;for (int i=tenp*10+1;i<=t;i++){ if (pg==i) {%> <b><font color=red><%=pg%></font></b><% }else{%><a href="#" onClick="document.search.pg.value=<%=i%>;document.search.start.value=<%=hitsPerPage*(i-1)%>;document.search.submit();" class=a03><%=i%></a> <%}}if (tenp<Math.floor(pc/10)) //显示下10页{%><a href="#" onClick="document.search.pg.value=<%=((tenp+1)*10+1)%>;document.search.start.value=<%=hitsPerPage*((tenp+1)*10)%>;document.search.submit();" class=a03>下10页</a> <%}else{%>下10页<%}%><a href="#" onClick="document.search.pg.value=<%=pc%>;document.search.start.value=<%=hitsPerPage*(pc-1)%>;document.search.submit();" class=a03>最末页</a><%if (end < hits.length()) { // insert next page button%> <!--<input type="submit" value="后一页>>">--> <a href="#" onClick="document.search.submit();" class="font_lv">下一页</a><%}else{%><font class="font_lv">下一页</font><%}%></font><input type="text" name="pg" size="3"><input type="submit" value="GO"> </form> </td> </tr> </table></td> </tr> </table></td> </tr> </table></td> </tr></table><!--分页结束--></td> <td width="226" valign="top"><iframe src="http://www.isccc.gov.cn/include/left4.html" frameborder="0" height="500" width="226" marginwidth="0" marginheight="0" scrolling="no"></iframe></td> </tr></table><!-------------------------------网页底部------------------------------------><table width="1002" border="0" cellspacing="0" cellpadding="0" align="center"> <tr> <td align="center"><iframe src="http://www.isccc.gov.cn/include/bottom_new.htm" frameborder="0" height="175" width="1002" marginwidth="0" marginheight="0" scrolling="no"></iframe></td> </tr></table></body></html><%}%>
who knows ?你说呢?akast@ngsst.com
未能联系到厂商或者厂商积极拒绝
漏洞Rank:4 (WooYun评价)
