当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0128817

漏洞标题:威锋某系统重要信息泄露

相关厂商:weiphone

漏洞作者: 路人甲

提交时间:2015-07-23 23:57

修复时间:2015-09-07 10:38

公开时间:2015-09-07 10:38

漏洞类型:敏感信息泄露

危害等级:中

自评Rank:10

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-07-23: 细节已通知厂商并且等待厂商处理中
2015-07-24: 厂商已经确认,细节仅向厂商公开
2015-08-03: 细节向核心白帽子及相关领域专家公开
2015-08-13: 细节向普通白帽子公开
2015-08-23: 细节向实习白帽子公开
2015-09-07: 细节向公众公开

简要描述:

威锋某系统重要信息泄露

详细说明:

备份文件导致ROOT密码泄露

漏洞证明:

http://editor.feng.com/config.php.bak

<?php
$db_config['db_driver']   = 'db';	              //db,adodb,mdb
$db_config['db_type']     = 'mysql';                  //mysql,mssql,oracle
$db_config['db_host']     = 'localhost:3306';      //数据库主机	
$db_config['db_user']     = 'root';      //数据库用户名	
$db_config['db_password'] = 'cididc_yp106520921';  //数据库用户密码	
$db_config['db_name']     = 'editor_naivix_com';      //数据库名		
$db_config['table_pre']   = 'cmsware_'; //CMS表名前缀	
$db_config['db_charset']   = 'utf8'; //数据库字符集 latin1,utf8,utf8...
$SYS_CONFIG['enable_validcode'] = 0; //是否开启登陆图形验证码. 1-开启,0-关闭
$SYS_CONFIG['language'] = 'utf8-zh'; //系统语言
$SYS_CONFIG['ftp_mode'] = 0 ; //系统运行在FTP模式,1-是,0-否
$SYS_CONFIG['ftp_host'] = 'cmsware'; //FTP主机地址
$SYS_CONFIG['ftp_port'] = '21'; //FTP服务器端口
$SYS_CONFIG['ftp_username'] = 'cms'; //FTP用户名
$SYS_CONFIG['ftp_password'] = 'cms'; //FTP密码
$SYS_CONFIG['ftp_cms_admin_path'] = ''; //CMS管理目录相对FTP根目录的路径 
$SYS_CONFIG['dir_mode'] = 0777; //系统创建目录的默认权限
$SYS_CONFIG['file_mode'] = 0777; //系统创建文件的默认权限
$SYS_CONFIG['error_reporting'] = 'html'; //系统报错模式 file,html,js
$SYS_CONFIG['tpl_error_display'] = true; //是否在最终页面显示报错信息 true, false
$SYS_CONFIG['admin_dir_name'] = 'admin'; //管理入口目录名
//--------------------------------以下部分请不要修改--------------------------//
$db_config['table_content_pre']     = 'content';	
$db_config['table_contribution_pre']     = 'contribution';	
$db_config['table_collection_pre']     = 'collection';	
$db_config['table_publish_pre']     = 'publish';
$lang_user = 'lang_user';
$lang_admin = 'lang_admin';
$SYS_DEBUG = true;
class table {
	var $sys;
	var $user;
	var $group;
	var $admin_sessions;
	var $sessions;
	var $site;
	var $cate;
	var $content_fields;
	var $content_index;
	var $content_table;
 	var $psn;
 	var $resource;
	var $publish_log;
	var $collection_cate;
	var $collection_rules;
	var $tasks;
 	var $contribution;
	var $resource_ref;
	var $workflow;
	var $workflow_state;
	var $workflow_record ;
	var $log_admin;
	var $log_login ;
	var $block_ip;
	var $contribution_note;
	
  	var $keywords;
	var $pubadminmasks;
 	var $plugins;
	var $tpl_vars;
 	var $tpl_cate;
 	var $tpl_data;
	function table()
	{
		global $db_config;
		$this->sys = $db_config['table_pre'].'sys';
		$this->user = $db_config['table_pre'].'user';
		$this->group = $db_config['table_pre'].'group';	
		$this->admin_sessions = $db_config['table_pre'].'admin_sessions';
		$this->sessions = $db_config['table_pre'].'sessions';
		$this->site = $db_config['table_pre'].'site';
		$this->content_fields = $db_config['table_pre'].'content_fields';
		$this->content_index = $db_config['table_pre'].'content_index';
		$this->content_table = $db_config['table_pre'].'content_table';
		$this->psn = $db_config['table_pre'].'psn';
		$this->resource = $db_config['table_pre'].'resource';
		$this->publish_log = $db_config['table_pre'].'publish_log';
		$this->collection_cate = $db_config['table_pre'].'collection_category';
		$this->collection_rules = $db_config['table_pre'].'collection_rules';
		$this->tasks = $db_config['table_pre'].'tasks';
		$this->cate = $db_config['table_pre'].'category';
		$this->contribution = $db_config['table_pre'].'contribution';
		$this->contribution_note = $db_config['table_pre'].'contribution_note';
 
		$this->keywords = $db_config['table_pre'].'keywords';
		$this->pubadminmasks = $db_config['table_pre'].'pubadminmasks';
		$this->plugins = $db_config['table_pre'].'plugins';
		$this->tpl_vars = $db_config['table_pre'].'tpl_vars';
		$this->resource_ref = $db_config['table_pre'].'resource_ref';
		
		$this->workflow = $db_config['table_pre'].'workflow';
		$this->workflow_state = $db_config['table_pre'].'workflow_state';
		$this->workflow_record = $db_config['table_pre'].'workflow_record';
		
		$this->log_login = $db_config['table_pre'].'log_login';
		$this->log_admin = $db_config['table_pre'].'log_admin';
		$this->block_ip = $db_config['table_pre'].'block_ip';
	
		$this->tpl_cate  = $db_config['table_pre'].'tpl_cate';
		$this->tpl_data = $db_config['table_pre'].'tpl_data';
		$this->tpl_block = $db_config['table_pre'].'tpl_block';
		$this->extra_publish = $db_config['table_pre'].'extra_publish';
		$this->node_fields = $db_config['table_pre'].'node_fields';
	}
}
$table=new table();
define("TPL_Error_Display", $SYS_CONFIG['tpl_error_display']);
define("ADMIN_NAME", $SYS_CONFIG['admin_dir_name']);
?>

修复方案:

删之

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:低

漏洞Rank:4

确认时间:2015-07-24 10:36

厂商回复:

谢谢提醒

最新状态:

暂无