当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2012-07288

漏洞标题:爱乐活loho敏感信息泄漏

相关厂商:百度

漏洞作者: 林夕梦

提交时间:2012-05-18 18:03

修复时间:2012-07-02 18:04

公开时间:2012-07-02 18:04

漏洞类型:应用配置错误

危害等级:低

自评Rank:1

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2012-05-18: 细节已通知厂商并且等待厂商处理中
2012-05-21: 厂商已经确认,细节仅向厂商公开
2012-05-31: 细节向核心白帽子及相关领域专家公开
2012-06-10: 细节向普通白帽子公开
2012-06-20: 细节向实习白帽子公开
2012-07-02: 细节向公众公开

简要描述:

http://www.leho.com/54654654
http://i.leho.com/11111111111111
http://show.leho.com/2222
域名后面随便加数字,直接显示出Array阵列,而不是跳转到404页面.

详细说明:

http://www.leho.com/

域名后面随便加数字,直接显示出Array阵列

Array
(
[err] => mcphp.ok
[data] => Array
(
[__need_login__] =>
[_sh_base_url] =>
[_arr_get_raw] => Array
(
)
[_url] => /sns/54654654/
[_uri] => /sns/54654654/
[_host] => www.leho.com
[_now] => 1337331899
[_app_id_] => 4184239500
[__user__] => Array
(
[uid] => 0
[uname] =>
[nickname] =>
[is_login] =>
[utype] => 0
[uneedActivate] => 0
[uloginname] =>
[uthirdtype] => 0
[sns_domain] =>
[sh_domain] =>
[sns_set_domain] => 0
[sh_set_domain] => 0
)
[__sh__] => Array
(
[sh_id] => 0
[sh_uid] => 0
[sh_uname] =>
[sh_code] => 0
[sh_name] =>
[sh_status] => 0
[cid] => 0
[locid] => 0
)
[_pv_params] => Array
(
[0] => sns
[1] =>
)
[u_email] =>
[__snsUser__] => Array
(
[head_imid] => 0
[sex] =>
[province] =>
[city] =>
[district] =>
[birth_year] => 0
[birth_month] => 0
[birth_day] => 0
[username] =>
[signature] =>
[sns_user_type] => 0
)
[__snsThird__] => Array
(
)
)
)

漏洞证明:

http://www.leho.com/54654654
http://i.leho.com/11111111111111
http://show.leho.com/2222
域名后面随便加数字,直接显示出Array阵列

Array
(
[err] => mcphp.ok
[data] => Array
(
[__need_login__] =>
[_sh_base_url] =>
[_arr_get_raw] => Array
(
)
[_url] => /sns/54654654/
[_uri] => /sns/54654654/
[_host] => www.leho.com
[_now] => 1337331899
[_app_id_] => 4184239500
[__user__] => Array
(
[uid] => 0
[uname] =>
[nickname] =>
[is_login] =>
[utype] => 0
[uneedActivate] => 0
[uloginname] =>
[uthirdtype] => 0
[sns_domain] =>
[sh_domain] =>
[sns_set_domain] => 0
[sh_set_domain] => 0
)
[__sh__] => Array
(
[sh_id] => 0
[sh_uid] => 0
[sh_uname] =>
[sh_code] => 0
[sh_name] =>
[sh_status] => 0
[cid] => 0
[locid] => 0
)
[_pv_params] => Array
(
[0] => sns
[1] =>
)
[u_email] =>
[__snsUser__] => Array
(
[head_imid] => 0
[sex] =>
[province] =>
[city] =>
[district] =>
[birth_year] => 0
[birth_month] => 0
[birth_day] => 0
[username] =>
[signature] =>
[sns_user_type] => 0
)
[__snsThird__] => Array
(
)
)
)

修复方案:

技术员知道怎么解决.

版权声明:转载请注明来源 林夕梦@乌云


漏洞回应

厂商回应:

危害等级:低

漏洞Rank:1

确认时间:2012-05-21 11:15

厂商回复:

感谢提交

最新状态:

暂无