当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0145636

漏洞标题:百度某安全产品部分代码泄露涉及敏感信息

相关厂商:百度

漏洞作者: wolf

提交时间:2015-10-10 09:44

修复时间:2015-11-24 10:02

公开时间:2015-11-24 10:02

漏洞类型:系统/服务运维配置不当

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-10-10: 细节已通知厂商并且等待厂商处理中
2015-10-10: 厂商已经确认,细节仅向厂商公开
2015-10-20: 细节向核心白帽子及相关领域专家公开
2015-10-30: 细节向普通白帽子公开
2015-11-09: 细节向实习白帽子公开
2015-11-24: 细节向公众公开

简要描述:

侧漏源码与一打数据库

详细说明:

http://scan.safe.baidu.com/.svn/entries

1.png

漏洞证明:

3.png


[db]
db_port = 3306
db_user = root
db_host = 127.0.0.1
db_pass = admin
db_dbname = nss
db_charset = utf8
[redis]
redis_host = 127.0.0.1
redis_port = 6379
redis_pass = b8HJ9k56tY1Xza7uTba7612alpw3
[bk]
bk_host = 127.0.0.1
bk_port = 11300
[download]
dl_path = /data/download
sample_rul = http://dbl-seclab-back14.dbl01:8080/resource/apps/
[sampleredis]
sample_host = 127.0.0.1
sample_port = 6380
sample_pass = bslfng
[virusResultRedis]
virusRet_host = 127.0.0.1
virusRet_port = 6379
virusRet_pass = b8HJ9k56tY1Xza7uTba7612alpw3
REDIS_HOST = '10.212.106.42'
REDIS_PORT = 6379
REDIS_PASS = 'b8HJ9k56tY1Xza7uTba7612alpw3'
DB_HOST = '10.212.106.41'
DB_USER = 'root'
DB_PASSWD = '3db7401e'
DB_NAME = 'nss'
redis.Redis(host='10.40.67.20', password='bslfng', port=6379, db=0)
creator=MySQLdb,
host='10.212.106.41',
user='root',
passwd='3db7401e',
db='nss',
port=8306,
creator = MySQLdb,
host = '10.212.106.45',
port = 3306,
user = 'root',
passwd = '3db7401e',
db = 'nss',
#Email info
#SMTP_SERVER = 'smtp.mail.yahoo.com:587'
SMTP_SERVER = 'smtp.qq.com'
#SENDER = 'bdseclabauto@yahoo.com'
SENDER = 'bdseclabauto@qq.com'
RECVER = ['wanglei20@baidu.com', 'shimin02@baidu.com', 'zhangzhigui@baidu.com', \
'fengyajie@baidu.com', 'jiyanyan@baidu.com', 'liukai15@baidu.com', 'liuboyan@baidu.com']
#RECVER = ['jiyanyan@baidu.com', 'liukai15@baidu.com', 'zhangzhigui@baidu.com']
SUBJECT = "[Monitor]: Baidu Cloud Security Platform monitoring report"
#USR = 'bdseclabauto@yahoo.com'
USR = '2759026024'
#PASSWD = 'trustgoer2015'
PASSWD = '=bm125'
tgautonotification@gmail.com trustgoer
'baidu': {'id': 1, 'key': '905f333d0cce7f58ed452f8a825c2f0cb96a4c71'},
'appchina': {'id': 2, 'key': '3dd697812da9960a1e72429cb017e97c4a535c83'},
'crossmo': {'id': 3, 'key': '72d67561c2c0dff2d59080796d0d4f698eded10b'},
'4399': {'id': 4, 'key': '9fc50a8a4741a718a849fe7049c3341dab916ee0'},
'cncert': {'id': 5, 'key': 'c903889bd890d59e64ac9e9dd116e7170bdcf738'},
'hisense': {'id': 6, 'key': 'c99c3292c57b7bc3867f62a5126a2ac1a6d5cd81'},
api_keys = {
'905f333d0cce7f58ed452f8a825c2f0cb96a4c71': 'baidu',
'3dd697812da9960a1e72429cb017e97c4a535c83': 'appchina',
'92a1ce5e0032530391edae8c79336c9929f15296': 'lenovomm',
'f508ac57765b7beaad9141f4c00039467f08a302': 'bpit',
'b701b3525bcc274d4eae80d181b85f2664096e4f': 'gionee',
'8fc547cdda7cc69be41169a05b4a8937dd05e175': 'pixiu',
'3ef39aec47565a783de750b0bebdbfb72cb12ab4': 'vsearch',
'b701b3525bcc274d4eae80d181b85f2664096e4f': 'gionee',
'xh5fkulj2dvhtu9apbyzrevb8yf3ixdwcq6joeol': 'bsltest',
'39aff70c29cb063cc28928326ea0f40fd03d5b9c': 'testin',
'c347265fc2e41812da52a816ad7f1122ec344f9f': 'musi',
'296c61378753442c7a9fffb3087eba1bea977076': 'musi_test',
}

修复方案:

版权声明:转载请注明来源 wolf@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2015-10-10 10:00

厂商回复:

感谢提交

最新状态:

暂无