当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-086863

漏洞标题:土豆网某分站配置不当 泄露大量敏感信息(多台服务器FTP、SSH密码)

相关厂商:土豆网

漏洞作者: 路人甲

提交时间:2014-12-11 23:53

修复时间:2015-01-25 23:54

公开时间:2015-01-25 23:54

漏洞类型:敏感信息泄露

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-12-11: 细节已通知厂商并且等待厂商处理中
2014-12-12: 厂商已经确认,细节仅向厂商公开
2014-12-22: 细节向核心白帽子及相关领域专家公开
2015-01-01: 细节向普通白帽子公开
2015-01-11: 细节向实习白帽子公开
2015-01-25: 细节向公众公开

简要描述:

土豆网某分站配置不当 泄露大量铭感信息(多台服务器FTP、SSH密码)

详细说明:

结合提交的这个漏洞,内网伤害很大
WooYun: 土豆网某分站存在远程命令执行漏洞已验证可内网渗透
服务端采用node.js,但是源码泄露了

http://114.80.235.161:8083/v3/tpm-config.js
http://114.80.235.161:8083/v3/sdm-config.json


"env" : {
"beta" : {
"users" : ["*"],
"domain" : "http://cssbeta.tudouui.com/v3",
"upload" : {
"host" : "114.80.236.91",
"user" : "uibeta",
"port" : 21,
"pass" : "(*****Fw",
"root" : "/UPLOAD",
"root2" : "/dispatch"
},
"uiversion" : {
"host" : "114.80.236.91",
"user" : "betacontrol",
"port" : 22,
"pass" : "PL*****C",
"root" : "/home/betacontrol/uiversioning/beta"
}
},
"wwwtest" : {
"users" : ["lhluo", "zhaohd", "nliu", "liuxm", "xqjia", "zrli", "baige", "qianwu", "huhongying", "chuhongyue", "wtzhang", "jyan", "wkli", "cyliu"],
"domain" : "http://csstest.tudouui.com/v3",
"upload" : {
"host" : "114.80.236.91",
"user" : "uitest.tudou.com",
"port" : 21,
"pass" : "Z*****%",
"root" : "/UPLOAD",
"root2" : "/dispatch"
},
"uiversion" : {
"host" : "114.80.236.91",
"user" : "controlcenter",
"port" : 22,
"pass" : "8i****L>",
"root" : "/home/controlcenter/uiversioning/test"
}
},
"wwwtest1" : {
"users" : ["lhluo", "zhaohd", "nliu", "liuxm", "xqjia", "zrli", "baige", "qianwu", "huhongying", "chuhongyue", "wtzhang", "jyan", "wkli", "cyliu"],
"domain" : "http://csstest1.intra.tudou.com/v3",
"upload" : {
"host" : "114.80.236.91",
"user" : "uitest1.tudou.com",
"port" : 21,
"pass" : "Z****$%",
"root" : "/UPLOAD",
"root2" : "/dispatch"
},
"uiversion" : {
"host" : "114.80.236.91",
"user" : "controlcenter",
"port" : 22,
"pass" : "8****L>",
"root" : "/home/controlcenter/uiversioning/test1"
}
},

漏洞证明:

var Fs = require('fs');
exports.root = __dirname;
exports.jira_host = 'http://jira.intra.tudou.com';
exports.deploy_mail = 'webtest_fabu@tudou.com';
exports.useClientMail = false; // 是否使用系统自带email发邮件
exports.autoSvnAdd = true; // build、dist目录中新增文件时是否自动执行svn add
exports.main = {
"js" : [
"lib.js",
"g.js",
"tui.js",
"lite.js",
"m.js",
"loader.js",
"autodomain.js",
"lib/xiuxiu.js",
"lazy/translate.js",
"lazy/history/history.js",
"lazy/kindeditor.js",
"lazy/play/lintrend.js",
"lazy/app-recom.js",
"page/play/playerLoader.js",
"page/watchlater/main.js",
"page/mobile/live/main.js",
"page/mobile/play/main.js",
"page/mobile/myrec/main.js",
"page/mobile/feedback/main.js",
"page/ch/music/rank.js",
"page/ch/cate/main.js",
"page/ch/list/main.js",
"page/ch/star/main.js",
"page/ch/star/list.js",
"page/albumcover/main.js",
"page/ch/main.js",
"page/ch/index.js",
"page/error/v.js",
"page/watchlater/oldwl.js",
"page/btn/btn.js",
"page/pay/v.js",
"page/playlist/cover.js",
"page/playlist/cover2/main.js",
"page/playlist/cover3/main.js",
"page/playlist/edit.js",
"page/login/mini.js",
"page/login/main.js",
"page/login/forget.js",
"page/play/main.js",
"page/mobile/play/main.js",
"page/mobile/ch2/index.js",
"page/mobile/ch2/list.js",
"page/mobile/watch/home.js",
"page/mobile/watch/subset.js",
"page/mobile/watch/history.js",
"page/mobile/watch/watch.js",
"page/mobile/watch/favorite.js",
"page/home/v2/main.js",
"page/home/v2/admin.js",
"page/jbp/main.js",
"page/stat/stat.js",
"page/rss/main.js",
"page/rss/history.js",
"page/watch/main.js",
"page/square/main.js",
"page/service/main.js",
"page/service/playtudou.js",
"page/service/help.js",
"page/mytudou/mysetting.js",
"page/mytudou/message.js",
"page/mytudou/manage.js",
"page/mytudou/myprogram.js",
"page/mytudou/myplaylist.js",
"page/mytudou/msglist.js",
"page/mytudou/mycomment.js",
"page/mytudou/myprogram-edit.js",
"page/mytudou/myprogram-remark.js",
"page/verify/index.js",
"page/verify/verify.js",
"page/verify/sub.js",
"page/tdvf/2014/main.js",
"page/tdvf/2014/index.js",
"page/tdvf/2014/submit.js",
"page/tdvf/2014/channel-list.js",
"page/tdvf/2014/video-list.js",
"page/mobile/tdvf/index.js",
"page/mobile/tdvf/channel.js",
"page/mobile/tdvf/video.js",
"page/activity/index.js",
"page/activity/join.js",
"page/activity/home.js",
"page/app/v.js",
"page/albumcover/list.js",
"page/member/account.js",
"page/member/index.js",
"page/member/list.js",
"page/member/privilege.js",
"page/mobile/rank/rank.js"
],
"css" : [
"g.less",
"playlist/cover.less",
"playlist/edit.less",
"playlist/cover2/main.less",
"playlist/cover3/main.less",
"ch/music/rank.less",
"ch/cate/main.less",
"ch/list/main.less",
"ch/star/list.less",
"ch/star/main.less",
"albumcover/main.less",
"ch/main.less",
"ch/index.less",
"error/v.less",
"square/main.less",
"watch/main.less",
"watchlater/main.less",
"watchlater/global.less",
"mobile/play/main2.less",
"mobile/feedback/main.less",
"mobile/ch/g.less",
"mobile/ch2/index.less",
"mobile/ch2/list.less",
"mobile/ch2/recom.less",
"mobile/watch/home.less",
"mobile/watch/watch.less",
"mobile/watch/history.less",
"mobile/watch/subset.less",
"mobile/watch/favorite.less",
"pay/common.less",
"g/btn.less",
"g/sidebar.less",
"play/play.less",
"login/mini.less",
"login/main.less",
"login/forget.less",
"home/main2.less",
"jbp/main.less",
"rss/main.less",
"service/main.less",
"service/playtudou.less",
"service/help.less",
"mytudou/main.less",
"mytudou/mysetting.less",
"mytudou/message.less",
"mytudou/message.less",
"mytudou/notify.less",
"mytudou/edit.less",
"verify/main.less",
"tdvf/2014/main.less",
"activity/main.less",
"activity/home.less",
"member/main.less",
"cent/main.less",
"app/mobile.less",
"32/main.less",
"rank/main.less",
"home/channel/main.less",
"mobile/rank/rank.less"
]
};
exports.libjs = {
"lib.js" : ["lib/jquery.js", "lib/fix.js", "lib/oz.js", "lib/config.js"],
"lite.js" : ["lib/zepto.js", "lib/zepto-fix.js", "lib/oz.js", "lib/config.js"],
"loader.js" : ["lib/fix.js", "lib/oz.js", "lib/config.js"],
"page/play/playerLoader.js" : ["page/play/playerLoader.js"],
"autodomain.js" : ["autodomain.js"]
};
exports.globaljs = [
"g.js",
"tui.js",
"m.js",
"page/stat/stat.js",
"page/watchlater/oldwl.js"
];
exports.ftp = {
beta : {
host : '114.80.236.91',
user : 'uibeta',
port : 21,
pass : '(*******TFw',
root : '/UPLOAD'
}
};
exports.project = Fs.existsSync(__dirname + '/project.json') ?
JSON.parse(Fs.readFileSync(__dirname + '/project.json', 'utf-8'))
: {};
exports.server = {
wwwtest: {
watchlater: {
host : 'online-test3',
user : 'watchlater',
pass : '********',
root : '/home/watchlater/apache-tomcat/webapps/ROOT/WEB-INF/tpl/'
},
albumcover: {
host : 'playlist-test',
user : '********',
pass : '********',
root : '/home/********/albumcover/apache-tomcat-7.0.40/webapps/albumcover/WEB-INF/tpl/album/'
},
tditemview: {
host : 'wwwtest',
user : 'tditem',
pass : '********',
root : '/home/tditem/apache-tomcat-7.0.40/webapps/ROOT/WEB-INF/tpl/'
},
listplay : {
host : 'playlist-test',
user : 'listPlay',
pass : '********',
root : '/home/listPlay/apache-tomcat-5.5.20/webapps/ROOT/WEB-INF/tpl/play/'
},
albumplay : {
host : 'online-test3',
user : 'albumplay',
pass : '********',
root : '/home/albumplay/apache-tomcat/webapps/ROOT/WEB-INF/tpl/album/'
},
webupload: {
host : '10.25.10.11',
user : 'webupload',
pass : '********',
root : '/home/webupload/apache-tomcat/webapps/ROOT/WEB-INF/tpl/my/program/'
},
myplaylist: {
host : 'playlist-test',
user : 'play_admin',
pass : '********',
root : '/home/play_admin/apache-tomcat/webapps/playlist/WEB-INF/tpl/'
},
feedback: {
host : 'online-test2',
user : 'programs',
pass : '********',
root : '/home/programs/feedback/apache-tomcat-6.0.18/webapps/feedback/WEB-INF/tpl/'
},
********: {
host : 'online-test2',
user : '********',
pass : '********',
root : '/home/********/apache-tomcat-6.0.18/webapps/********/WEB-INF/tpl/'
},
tdpassport: {
host : 'online-test2',
user : 'tdpassport',
pass : '********',
root : '/home/tdpassport/apache-tomcat/webapps/ROOT/WEB-INF/tpl/'
},
homepage: {
host : 'online-test7',
user : 'homepage',
pass : '********',
root : '/home/homepage/apache-tomcat/webapps/ROOT/WEB-INF/tpl/'
},
watch: {
host : 'online-test6',
user : 'watchcenter',
pass : '********',
root : '/home/watchcenter/apache-tomcat/webapps/ROOT/WEB-INF/tpl/'
},
xpage: {
host : 'online-test4',
user : 'xpage',
pass : '********',
root : '/home/xpage/apache-tomcat/webapps/xpage/WEB-INF/tpl/'
},
catefront: {
host : 'playlist-test',
user : 'list',
pass : '********',
root : '/home/list/apache-tomcat/webapps/ROOT/WEB-INF/tpl/'
},
square: {
host : 'playlist-test',
user : 'list',
pass : '********',
root : '/home/list/apache-tomcat/webapps/ROOT/WEB-INF/tpl/square/'
},
verify: {
host : 'online-test1',
user : 'mycenter',
pass : '********',
root : '/home/mycenter/apache-tomcat/webapps/ROOT/WEB-INF/tpl/'
}
},
wwwtest1: {
tditemview : {
host : 'online-test3',
user : 'itemview1',
pass : '********',
root : '/home/itemview1/apache-tomcat/webapps/ROOT/WEB-INF/tpl/'
},
listplay : {
host : 'online-test3',
user : 'listplay1',
pass : '********',
root : '/home/listplay1/apache-tomcat-7.0.29/webapps/ROOT/WEB-INF/tpl/play/'
},
albumplay : {
host : 'online-test3',
user : 'albumplay1',
pass : '********',
root : '/home/albumplay1/apache-tomcat/webapps/ROOT/WEB-INF/tpl/album/'
}
},
wwwtest2: {
tditemview: {
host : 'online-test3',
user : 'itemview2',
pass : '********',
root : '/home/itemview2/apache-tomcat/webapps/ROOT/WEB-INF/tpl/'
},
listplay : {
host : 'online-test3',
user : 'listplay2',
pass : '********',
root : '/home/listplay2/apache-tomcat/webapps/ROOT/WEB-INF/tpl/play/'
},
albumplay : {
host : 'online-test3',
user : 'albumplay2',
pass : '********',
root : '/home/albumplay2/apache-tomcat/webapps/ROOT/WEB-INF/tpl/album/'
}
},
beta: {
tditemview: {
host : 'beta-app3',
user : 'app_admin',
pass : '********',
root : '/home/app_admin/apache-tomcat-6.0.18/webapps/ROOT/WEB-INF/tpl/'
},
listplay : {
host : 'beta-app3',
user : 'listplay',
pass : '********',
root : '/home/listplay/apache-tomcat-6.0.18/webapps/ROOT/WEB-INF/tpl/play/'
},
albumplay : {
host : 'beta-app1',
user : 'albumplay',
pass : '********',
root : '/home/albumplay/apache-tomcat/webapps/ROOT/WEB-INF/tpl/album/'
},
********: {
host : 'beta-test2',
user : '********',
pass : '********',
root : '/home/********/apache-tomcat-6.0.18/webapps/********/WEB-INF/tpl/'
}
},
beta1: {
tditemview: {
host : 'beta-app4',
user : 'itemview1',
pass : '********',
root : '/home/itemview1/apache-tomcat/webapps/ROOT/WEB-INF/tpl/'
},
listplay : {
host : 'beta-app4',
user : 'listplay1',
pass : '********',
root : '/home/listplay1/apache-tomcat-7.0.29/webapps/ROOT/WEB-INF/tpl/play/'
},
albumplay : {
host : 'beta-app4',
user : 'albumplay1',
pass : '********',
root : '/home/albumplay1/apache-tomcat/webapps/ROOT/WEB-INF/tpl/album/'
}
},
beta2: {
tditemview: {
host : 'beta-app4',
user : 'itemview2',
pass : '********',
root : '/home/itemview2/apache-tomcat/webapps/ROOT/WEB-INF/tpl/'
},
listplay : {
host : 'beta-app4',
user : 'listplay2',
pass : '********',
root : '/home/listplay2/apache-tomcat-6.0.18/webapps/ROOT/WEB-INF/tpl/play/'
},
albumplay : {
host : 'beta-app4',
user : 'albumplay2',
pass : '********',
root : '/home/albumplay2/apache-tomcat-6.0.18/webapps/ROOT/WEB-INF/tpl/album/'
}
}
};
exports.ssh = {
beta : {
host : '114.80.236.91',
user : 'betacontrol',
port : 22,
pass : '********',
root : '/home/betacontrol/uiversioning/beta'
},
manage3 : {
host : '10.25.251.101',
user : 'zhangfeng',
pass : '********',
root : '/home/zhangfeng/'
}
}

修复方案:

删除

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2014-12-12 17:55

厂商回复:

开发环境被无情透出,已处理,多谢

最新状态:

暂无