当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-098814

漏洞标题:智汇邦某站点未授权访问

相关厂商:智汇邦

漏洞作者: 路人甲

提交时间:2015-03-02 12:13

修复时间:2015-04-16 12:14

公开时间:2015-04-16 12:14

漏洞类型:未授权访问/权限绕过

危害等级:低

自评Rank:5

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-03-02: 积极联系厂商并且等待厂商认领中,细节不对外公开
2015-04-16: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

千人计划某站点未授权访问可泄露源文件及数据库备份文件

详细说明:

服务器ip为211.151.58.236,rsync未授权访问,可读不可写,数据库配置为内网环境,无法远程访问
未授权访问:

rsync  211.151.58.236::     
1000plan        1000plan source code
test            test
backup-1000plan backup db && backup file
var-www-qrjh_zhb        backup source
var-www-qrjh_zhb_data_upload    backup data_upload


网站源文件:

rsync  211.151.58.236::1000plan      
drwxrwxr-x        4096 2015/01/16 19:14:27 .
-rw-r--r--        5000 2014/11/05 16:14:43 .htaccess
-rwxr-xr-x        4998 2014/11/04 18:17:28 .htaccess.2014-11
-rwxr-xr-x        4893 2014/11/04 18:09:42 .htaccess.bak
-rwxrwxr-x       43360 2013/09/24 18:27:03 CHANGELOG.txt
-rwxrwxr-x         988 2013/09/24 18:27:03 COPYRIGHT.txt
-rwxrwxr-x        1924 2013/09/24 18:27:03 MAINTAINERS.txt
-rwxrwxr-x        5002 2013/09/24 18:27:03 UPGRADE.txt
-rwxrwxr-x        5810 2013/09/24 18:27:03 awstat.php
-rwxrwxr-x         262 2013/09/24 18:27:03 cron.php
-rwxrwxr-x        1406 2013/09/24 18:27:03 favicon.ico
-rwxrwxr-x        2358 2013/09/24 18:27:03 index.htm
-rwxrwxr-x        2637 2014/03/17 09:32:20 index.php
-rwxrwxr-x        2665 2014/03/15 16:30:42 index.php.bak
-rwxrwxr-x        7710 2013/09/24 18:27:03 login.htm
-rwxrwxr-x        1490 2014/09/05 17:12:56 niu.html
-rwxrwxr-x        1590 2013/09/24 18:27:03 robots.txt
-rwxrwxr-x         266 2013/09/24 18:27:03 sitemap.xml
-rwxrwxr-x         125 2013/09/24 18:27:03 temp.xml
-rwxrwxr-x          30 2014/06/12 18:49:13 test.txt
-rwxrwxr-x       25457 2013/09/24 18:27:03 update.php
-rwxrwxr-x          32 2013/09/24 18:27:03 webscan_360_cn.html
-rwxrwxr-x         352 2013/09/24 18:27:03 xmlrpc.php
drwxrwxr-x        4096 2015/01/16 19:18:00 .svn
drwxrwxr-x        4096 2013/09/24 18:27:03 Storage
drwxrwxr-x        4096 2015/02/28 17:41:27 chuangye
drwxrwxr-x        4096 2014/10/17 15:38:22 include
drwxrwxr-x        4096 2013/09/24 18:26:32 includes
drwxrwxr-x        4096 2013/09/24 18:26:23 jiancai
drwxrwxr-x        4096 2015/01/16 18:28:21 js
drwxrwxr-x        4096 2013/09/24 18:26:20 lianyihuisite
drwxrwxr-x        4096 2013/09/24 18:26:59 misc
drwxrwxr-x        4096 2013/09/24 18:26:35 modules
drwxrwxr-x        4096 2013/12/18 20:21:55 ocs
drwxrwxr-x        4096 2013/09/24 18:26:21 profiles
drwxrwxr-x        4096 2014/09/04 18:29:49 pushmail
drwxrwxr-x        4096 2013/09/24 18:26:22 scripts
drwxrwxr-x        4096 2013/09/24 18:26:32 site
drwxrwxr-x        4096 2013/09/24 18:26:39 sites
drwxrwxr-x        4096 2013/09/24 18:26:21 themes
drwxrwxr-x        4096 2014/12/25 11:28:11 tools
drwxrwxr-x        4096 2013/08/22 12:14:28 trunk
drwxrwxrwx        4096 2015/02/28 08:55:57 wiki
drwxr-xr-x        4096 2015/01/16 19:14:50 wiki_bak
drwxrwxr-x        4096 2013/09/24 18:26:59 wiki_syn
drwxr-xr-x        4096 2014/11/10 14:05:21 ycfw
drwxrwxr-x        4096 2013/09/24 18:26:32 zhaopin_test
drwxr-xr-x        4096 2014/12/29 11:36:27 zj


数据库备份文件:

rsync  211.151.58.236::backup-1000plan/qrjh_14120111.sql.back

漏洞证明:

如上

修复方案:

添加访问权限

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝