当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-087259

漏洞标题:威锋网某处配置不当导致邮件随机泄露(密码重置连接泄漏)

相关厂商:weiphone

漏洞作者: 鸟云厂商

提交时间:2014-12-15 17:29

修复时间:2014-12-16 21:37

公开时间:2014-12-16 21:37

漏洞类型:应用配置错误

危害等级:中

自评Rank:10

漏洞状态:厂商已经修复

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-12-15: 细节已通知厂商并且等待厂商处理中
2014-12-16: 厂商已经确认,细节仅向厂商公开
2014-12-16: 厂商已经修复漏洞并主动公开,细节向公众公开

简要描述:

威锋网某处配置不当导致邮件随机泄露(密码重置连接泄漏)

详细说明:

http://edm.feng.com/
这个是威锋网的邮件群发系统
在根目录下有个aaa.txt http://edm.feng.com/aaa.txt
这个txt文件不是固定的,而是随着邮件发送,不断变化。
简单地说就是把发送邮件的记录写入到这里

weiphone.png


随时打开都能看到例如:

INSERT INTO `mail_deliver_log_queue` (did,ip,msgid,code,email,cid,domain,mx,cmd,reason,is_retry,add_time) VALUES ('855785','162.209.149.40','3552','250','120727698@qq.com','1920847','delivery_tencent','mx1.qq.com','/www/client/sendEmail -f \\\"=?utf-8?B?5aiB6ZSL572R?= <edm@weiphone.com>\\\" -t 120727698@qq.com -u \\\"=?utf-8?B?cWl1amluZ2h1YSDlnKjlqIHplIvnvZHkv67mlLnnmbvlvZXlr4bnoIHmiJDlip/noa7orqTkv6E=?=\\\" -m \\\"PCFkb2N0eXBlIGh0bWw+IAo8aHRtbD4gCjxoZWFkPiAKICAgIDxtZXRhIGNoYXJzZXQ9InV0Zi04Ij4gCiAgICA8dGl0bGU+5L+u5pS555m75b2V5a+G56CB5oiQ5YqfLeWogemUi+eUqOaIt+S4reW/gzwvdGl0bGU+IAo8L2hlYWQ+Cjxib2R5ID4KCTxkaXYgIHN0eWxlPSIgZmxvYXQ6bGVmdDsgYmFja2dyb3VuZC1jb2xvcjogI2U1ZWFmMTsgZm9udDoxNHB4LzEuNyB0YWhvbWEsYXJpYWwsJ0hpcmFnaW5vIFNhbnMgR0InLCdcNWI4Ylw0ZjUzJyxzYW5zLXNlcmlmOyB3aWR0aDoxMDAlOyBoZWlnaHQ6MTAwJTsiPgoJCTxkaXYgc3R5bGU9IiBjb2xvcjojNjY2OyBmb250LXNpemU6MTRweDsgbWFyZ2luOjAgYXV0bzsgd2lkdGg6NzQwcHg7Ij4KCQkJPGRpdiBzdHlsZT0iIGZsb2F0OmxlZnQ7ICBiYWNrZ3JvdW5kOiNmZmYgdXJsKGh0dHA6Ly9lZG0uZmVuZy5jb20vc3RhdGljL3RlbXBsYXRlcy81M2Y2YmUyY2U4YmI4L2ltYWdlcy90b3BfYmcuanBnKSBuby1yZXBlYXQgbGVmdCB0b3A7IGJvcmRlcjoxcHggc29saWQgI2UzZTNlMzsgcGFkZGluZzo4NXB4IDcwcHggNTRweCA3MHB4OyBoZWlnaHQ6YXV0bzsgd2lkdGg6NjAwcHg7IHBvc2l0aW9uOnJlbGF0aXZlOyI+CgkJCQk8ZGl2IHN0eWxlPSIgcG9zaXRpb246YWJzb2x1dGU7IHJpZ2h0Oi01MnB4OyB0b3A6NTJweDsiPjxpbWcgc3JjPSJodHRwOi8vZWRtLmZlbmcuY29tL3N0YXRpYy90ZW1wbGF0ZXMvNTNmNmJlMmNlOGJiOC9pbWFnZXMvZW1haWxfbG9nby5wbmciIGhlaWdodD0iOTAiIHdpZHRoPSIxOTciLz48L2Rpdj4KCQkJCTxoMSBzdHlsZT0iIGNvbG9yOiM0ODgyY2U7IGZvbnQtc2l6ZToyMnB4OyI+SGnvvIxxaXVqaW5naHVh77yaPC9oMT4KCQkJCTxkaXYgc3R5bGU9IiBtYXJnaW4tdG9wOjM1cHg7Ij4KCQkJCQk8aDEgc3R5bGU9ImNvbG9yOiMzMzM7IGZvbnQtc2l6ZToxNnB4OyI+5oKo55qE5aiB6ZSL5biQ5Y+3IHFpdWppbmdodWEg55m75b2V5a+G56CB6YeN572u5oiQ5Yqf77yM6K+356Gu6K6k5Li65oKo5pys5Lq65pON5L2c44CCPC9oMT4KCQkJCQk8cD7kuLrkuobkv53pmpzmgqjnmoTluJDlj7flronlhajvvIzor7fmgqjkv53nrqHlpb3oh6rlt7HnmoTlr4bnoIHlubblu7rorq7mgqjkuLrotKblj7forr7nva48YSBzdHlsZT0iY29sb3I6IzQ4ODJjZTsgdGV4dC1kZWNvcmF0aW9uOnVuZGVybGluZTsgdGV4dC1kZWNvcmF0aW9uOnVuZGVybGluZSIgaHJlZj0iaHR0cDovL3Bhc3Nwb3J0LmZlbmcuY29tL2luZGV4LnBocD9yPXNhZnQvYmluZFNhZnRRQ2hvb3NlJmlnbm9yZT1jb2RlIiB0YXJnZXQ9Il9ibGFuayI+5a6J5YWo5o+Q56S66Zeu6aKYPC9hPuOAgjwvcD4KCQkJCQk8cD7mgqjov5jlj6/ku6XpgJrov4flqIHplIvkvJrlkZjkuK3lv4Pmn6XnnIvotKblj7flronlhajmiJbov5vooYzlr4bnoIHnrqHnkIbjgII8L3A+CgkJCQkJPHA+PGEgaHJlZj0iaHR0cDovL2VkbS5mZW5nLmNvbS9hcGkvdXJsanVtcC5odG1sP2NpZD0xOTIwODQ3Jm1pZD0zNTUyJmVtYWlsPTEyMDcyNzY5OEBxcS5jb20mdXJsPWh0dHAlM0ElMkYlMkZwYXNzcG9ydC5mZW5nLmNvbSIgdGFyZ2V0PSJfYmxhbmsiIHN0eWxlPSJjb2xvcjojNDg4MmNlOyB0ZXh0LWRlY29yYXRpb246dW5kZXJsaW5lOyI+5Lya5ZGY5Lit5b+DID48L2E+PC9wPgoJCQkJPC9kaXY+CgkJCQk8ZGl2IHN0eWxlPSIgYm9yZGVyLXRvcDoxcHggc29saWQgI2ViZWRmMTsgcGFkZGluZy10b3A6NDVweDsgbWFyZ2luOjMwcHggMCAyMHB4IDA7Ij7lqIHplIvnvZE8YSBocmVmPSJodHRwOi8vZWRtLmZlbmcuY29tL2FwaS91cmxqdW1wLmh0bWw/Y2lkPTE5MjA4NDcmbWlkPTM1NTImZW1haWw9MTIwNzI3Njk4QHFxLmNvbSZ1cmw9aHR0cCUzQSUyRiUyRnd3dy5mZW5nLmNvbSIgdGl0bGU9IuWogemUi+e9kSIgdGFyZ2V0PSJfYmxhbmsiIHN0eWxlPSIgY29sb3I6IzQ4ODJjZTsgbWFyZ2luOjAgMTBweDsgdGV4dC1kZWNvcmF0aW9uOm5vbmU7Ij5GZW5nLmNvbTwvYT4yMDE05bm0MTLmnIgxNeaXpTwvZGl2PgoJCQk8L2Rpdj4JCgkJCTxkaXYgc3R5bGU9IiBjbGVhcjpib3RoOyBjb2xvcjojNzU3NTc1OyBmb250LXNpemU6MTBweDsgcGFkZGluZzoyMHB4IDAgODBweDsgdGV4dC1hbGlnbjpjZW50ZXI7Ij4KCQkJCTxwIHN0eWxlPSJtYXJnaW46MDsgcGFkZGluZzowOyI+6L+Z5piv5LiA5bCB57O757uf56Gu6K6k5Ye977yM6K+35LiN6KaB5Zue5aSN5q2k6YKu5Lu277yB5q2k6YKu5Lu255qE5Zyw5Z2A5peg5rOV5o6l5Y+X5oKo5p2l5L+h44CCPC9wPgoJCQkJPHAgc3R5bGU9Im1hcmdpbjowOyBwYWRkaW5nOjA7Ij4gwqkgMjAxNCA8YSBocmVmPSJodHRwOi8vZWRtLmZlbmcuY29tL2FwaS91cmxqdW1wLmh0bWw/Y2lkPTE5MjA4NDcmbWlkPTM1NTImZW1haWw9MTIwNzI3Njk4QHFxLmNvbSZ1cmw9aHR0cCUzQSUyRiUyRnd3dy5mZW5nLmNvbSIgdGFyZ2V0PSJfYmxhbmsiIHN0eWxlPSJjb2xvcjojNDg4MmNlOyB0ZXh0LWRlY29yYXRpb246bm9uZTsiPkZlbmcuY29tPC9hPi4gQWxsIFJpZ2h0cyBSZXNlcnZlZC48L3A+CgkJCTwvZGl2PgkKCQk8L2Rpdj4KCTwvZGl2Pgo8L2JvZHk+CjwvaHRtbD4KCjxpbWcgc3JjPSdodHRwOi8vZWRtLmZlbmcuY29tL2FwaS91cmxqdW1wL2luZGV4Lmh0bWw/Y2lkPTE5MjA4NDcmbWlkPTM1NTImZW1haWw9MTIwNzI3Njk4QHFxLmNvbSZ0eXBlPTEmdXJsPWh0dHA6Ly9lZG0uZmVuZy5jb20vc3RhdGljL2ltZy9pY29ucy9iZ19zcmMucG5nJyBzdHlsZT0nZGlzcGxheTpub25lJyAvPg==\\\" -s mx1.qq.com  -b 162.209.149.40  -o reply-to=support@office.weiphone.com -o message-content-type=html -o message-charset=utf8 -o timeout=6000 -o fqdn=162.209.149-40.edm.feng.com','Email was sent successfully','0','1418634847');


当中包含的信息:邮件内容、发送者ip、发件人、收件人。
邮件内容是base64加密
解密之后是html的代码
以网页形式打开看看

屏幕快照 2014-12-15 下午5.18.16.png

漏洞证明:

weiphone.jpg


会不断变化,定时抓取可导致严重信息泄露。

修复方案:

版权声明:转载请注明来源 鸟云厂商@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:18

确认时间:2014-12-16 21:36

厂商回复:

谢谢,我们已经修复,请联系我们,以便寄送礼物

最新状态:

2014-12-16:已经更改