当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2012-012093

漏洞标题:完美svn信息泄露&某管理地址泄漏

相关厂商:完美时空

漏洞作者: QK.PenTesting

提交时间:2012-09-12 19:10

修复时间:2012-10-27 19:10

公开时间:2012-10-27 19:10

漏洞类型:敏感信息泄露

危害等级:中

自评Rank:10

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2012-09-12: 细节已通知厂商并且等待厂商处理中
2012-09-17: 厂商已经确认,细节仅向厂商公开
2012-09-27: 细节向核心白帽子及相关领域专家公开
2012-10-07: 细节向普通白帽子公开
2012-10-17: 细节向实习白帽子公开
2012-10-27: 细节向公众公开

简要描述:

我是QK,我不要当路人甲。
.svn/entries
小翻了下代码,找不到BUG,就不继续翻代码了 = =

详细说明:

http://esales.wanmei.com/e/.svn/entries
http://shendun.wanmei.com/.svn/entries
http://cookie.bi.wanmei.com/jsp/pvbi/.svn/entries
http://211.100.255.17/.svn/entries
http://211.100.255.18/.svn/entries
http://211.100.255.17:8080/.svn/entries
http://211.100.255.18:8080/.svn/entries
http://211.100.255.17/
http://211.100.255.18/

漏洞证明:

test1231231231.jsp 源码试读。

<%@page import="com.world2.esales.service.AutoCheckTaskNew"%>
<%@ page language="java" contentType="text/html; charset=GBK"
    pageEncoding="GBK"%>
<%@ page import="com.world2.limit.*,com.world2.esales.dao.ConnectionPool,java.sql.*,java.io.*,com.world2.config.EsalesConfig,java.text.*,com.world2.esales.commons.util.*,java.util.*,com.world2.esales.dao.jdbc.BusinessOrderFormDAOImpl,com.world2.esales.dao.jdbc.UserStoreNewDAOImpl,com.world2.esales.module.UserStoreNew"%>
<%
AutoCheckTaskNew.getInstance().run();
//ErrorInputCtrl.getInstance().getSafePassWDErrorLimit().remove(27013);
System.out.println("end");
%>
<%!
private void writeFile(String path, String name, String content)
throws Exception {
String fullName = path + "/" + name;
try {
File dirFile = new File(path);
dirFile.mkdirs();
File contFile = new File(fullName);
FileOutputStream outStream = new FileOutputStream(contFile);
PrintStream printStream = new PrintStream(outStream, false, "GBK");
printStream.print(content);
printStream.flush();
printStream.close();
} catch (Exception e) {
e.printStackTrace(System.out);
throw e;
}
}
private void checkUserStoreNewSaleOut() {
	StringBuffer sb = new StringBuffer();
	StringBuffer alertMsg=new StringBuffer();
	List<UserStoreNew> difflist=new ArrayList<UserStoreNew>();
	int i=0;
	try {
		List<UserStoreNew> userStoreNewList = UserStoreNewDAOImpl.getAllUserStoreNew();
		int diff;
		String problemMsg;
		for (UserStoreNew userStoreNew : userStoreNewList) {
			i++;
			if(i%100==0){
				System.out.println(i);
			}
			diff = UserStoreNewDAOImpl.getSumSaleOutAfter(userStoreNew
					.getUserid(), userStoreNew.getCardType())+ 
					UserStoreNewDAOImpl.getSumSaleOutBefore(userStoreNew
						.getUserid(), userStoreNew.getCardType())
					- userStoreNew.getSaleoutNumber();
			if (diff != 0) {
				if ( (Math.abs(diff) > 100) && (userStoreNew.getCardType() < 3)) {
					difflist.add(userStoreNew);
				}
				if ((Math.abs(diff) > 20 ) && (userStoreNew.getCardType() > 3)) {
					difflist.add(userStoreNew);
				}
			}
		}
		
		//对于误差大的再算一遍
		int diffcount=0;
		for(UserStoreNew u:difflist){
		    	UserStoreNew userStoreNew=UserStoreNewDAOImpl.getUserStoreNewByUserIdAndCardType(u.getUserid(), u.getCardType());
		    	diff = UserStoreNewDAOImpl.getSumSaleOutAfter(userStoreNew
				.getUserid(), userStoreNew.getCardType())+ 
				UserStoreNewDAOImpl.getSumSaleOutBefore(userStoreNew
					.getUserid(), userStoreNew.getCardType())- userStoreNew.getSaleoutNumber();
    			if (diff != 0) {
    				problemMsg = "userid=" + userStoreNew.getUserid()
    						+ ", cardtype=" + userStoreNew.getCardType()
    						+ " has saleout difference. storeSaleout="
    						+ userStoreNew.getSaleoutNumber()
    						+ ", realsaleout="
    						+ (userStoreNew.getSaleoutNumber() + diff)
    						+ ",diff =" + diff + "\r\n<br/>";
    				sb.append(problemMsg);
    				// generate alert email message
    				if ( (Math.abs(diff) > 100) && (userStoreNew.getCardType() < 3)) {
    					alertMsg.append(problemMsg);
    					diffcount++;
    				}
    				// generate alert email message
    				if ((Math.abs(diff) > 20 ) && (userStoreNew.getCardType() > 3)) {
    					alertMsg.append(problemMsg);
    					diffcount++;
    				}
    			}
		}
		if(diffcount==0){
		    alertMsg.append("sale out check no problem");
		}
		SimpleDateFormat sdf = new SimpleDateFormat("yyyy-MM-dd");
		String savepath = EsalesConfig.getInstance().getLogPath("savepath");
		// record userstore saleout diff
		this.writeFile(savepath, sdf.format(new java.util.Date()) + ".log.2", sb.toString());
	} catch (Exception e) {
		e.printStackTrace();
	}
}
%>

修复方案:

你懂的。

版权声明:转载请注明来源 QK.PenTesting@乌云

漏洞回应

厂商回应:

危害等级:低

漏洞Rank:5

确认时间:2012-09-17 09:18

厂商回复:

感谢QK.PenTesting对完美的关注,已通知相关人员进行处理

最新状态:

暂无