当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2012-012093

漏洞标题:完美svn信息泄露&某管理地址泄漏

相关厂商:完美时空

漏洞作者: QK.PenTesting

提交时间:2012-09-12 19:10

修复时间:2012-10-27 19:10

公开时间:2012-10-27 19:10

漏洞类型:敏感信息泄露

危害等级:中

自评Rank:10

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2012-09-12: 细节已通知厂商并且等待厂商处理中
2012-09-17: 厂商已经确认,细节仅向厂商公开
2012-09-27: 细节向核心白帽子及相关领域专家公开
2012-10-07: 细节向普通白帽子公开
2012-10-17: 细节向实习白帽子公开
2012-10-27: 细节向公众公开

简要描述:

我是QK,我不要当路人甲。
.svn/entries
小翻了下代码,找不到BUG,就不继续翻代码了 = =

详细说明:

http://esales.wanmei.com/e/.svn/entries
http://shendun.wanmei.com/.svn/entries
http://cookie.bi.wanmei.com/jsp/pvbi/.svn/entries
http://211.100.255.17/.svn/entries
http://211.100.255.18/.svn/entries
http://211.100.255.17:8080/.svn/entries
http://211.100.255.18:8080/.svn/entries
http://211.100.255.17/
http://211.100.255.18/

漏洞证明:

test1231231231.jsp 源码试读。

<%@page import="com.world2.esales.service.AutoCheckTaskNew"%>
<%@ page language="java" contentType="text/html; charset=GBK"
pageEncoding="GBK"%>
<%@ page import="com.world2.limit.*,com.world2.esales.dao.ConnectionPool,java.sql.*,java.io.*,com.world2.config.EsalesConfig,java.text.*,com.world2.esales.commons.util.*,java.util.*,com.world2.esales.dao.jdbc.BusinessOrderFormDAOImpl,com.world2.esales.dao.jdbc.UserStoreNewDAOImpl,com.world2.esales.module.UserStoreNew"%>
<%
AutoCheckTaskNew.getInstance().run();
//ErrorInputCtrl.getInstance().getSafePassWDErrorLimit().remove(27013);
System.out.println("end");
%>
<%!
private void writeFile(String path, String name, String content)
throws Exception {
String fullName = path + "/" + name;
try {
File dirFile = new File(path);
dirFile.mkdirs();
File contFile = new File(fullName);
FileOutputStream outStream = new FileOutputStream(contFile);
PrintStream printStream = new PrintStream(outStream, false, "GBK");
printStream.print(content);
printStream.flush();
printStream.close();
} catch (Exception e) {
e.printStackTrace(System.out);
throw e;
}
}
private void checkUserStoreNewSaleOut() {
StringBuffer sb = new StringBuffer();
StringBuffer alertMsg=new StringBuffer();
List<UserStoreNew> difflist=new ArrayList<UserStoreNew>();
int i=0;
try {
List<UserStoreNew> userStoreNewList = UserStoreNewDAOImpl.getAllUserStoreNew();
int diff;
String problemMsg;
for (UserStoreNew userStoreNew : userStoreNewList) {
i++;
if(i%100==0){
System.out.println(i);
}
diff = UserStoreNewDAOImpl.getSumSaleOutAfter(userStoreNew
.getUserid(), userStoreNew.getCardType())+
UserStoreNewDAOImpl.getSumSaleOutBefore(userStoreNew
.getUserid(), userStoreNew.getCardType())
- userStoreNew.getSaleoutNumber();
if (diff != 0) {
if ( (Math.abs(diff) > 100) && (userStoreNew.getCardType() < 3)) {
difflist.add(userStoreNew);
}
if ((Math.abs(diff) > 20 ) && (userStoreNew.getCardType() > 3)) {
difflist.add(userStoreNew);
}
}
}

//对于误差大的再算一遍
int diffcount=0;
for(UserStoreNew u:difflist){
UserStoreNew userStoreNew=UserStoreNewDAOImpl.getUserStoreNewByUserIdAndCardType(u.getUserid(), u.getCardType());
diff = UserStoreNewDAOImpl.getSumSaleOutAfter(userStoreNew
.getUserid(), userStoreNew.getCardType())+
UserStoreNewDAOImpl.getSumSaleOutBefore(userStoreNew
.getUserid(), userStoreNew.getCardType())- userStoreNew.getSaleoutNumber();
if (diff != 0) {
problemMsg = "userid=" + userStoreNew.getUserid()
+ ", cardtype=" + userStoreNew.getCardType()
+ " has saleout difference. storeSaleout="
+ userStoreNew.getSaleoutNumber()
+ ", realsaleout="
+ (userStoreNew.getSaleoutNumber() + diff)
+ ",diff =" + diff + "\r\n<br/>";
sb.append(problemMsg);
// generate alert email message
if ( (Math.abs(diff) > 100) && (userStoreNew.getCardType() < 3)) {
alertMsg.append(problemMsg);
diffcount++;
}
// generate alert email message
if ((Math.abs(diff) > 20 ) && (userStoreNew.getCardType() > 3)) {
alertMsg.append(problemMsg);
diffcount++;
}
}
}
if(diffcount==0){
alertMsg.append("sale out check no problem");
}
SimpleDateFormat sdf = new SimpleDateFormat("yyyy-MM-dd");
String savepath = EsalesConfig.getInstance().getLogPath("savepath");
// record userstore saleout diff
this.writeFile(savepath, sdf.format(new java.util.Date()) + ".log.2", sb.toString());
} catch (Exception e) {
e.printStackTrace();
}
}
%>

修复方案:

你懂的。

版权声明:转载请注明来源 QK.PenTesting@乌云


漏洞回应

厂商回应:

危害等级:低

漏洞Rank:5

确认时间:2012-09-17 09:18

厂商回复:

感谢QK.PenTesting对完美的关注,已通知相关人员进行处理

最新状态:

暂无