当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0198769

漏洞标题:同花顺某交易服务器存在心脏滴血漏洞

相关厂商:同花顺

漏洞作者: 路人甲

提交时间:2016-04-21 09:40

修复时间:2016-06-05 10:50

公开时间:2016-06-05 10:50

漏洞类型:重要敏感信息泄露

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2016-04-21: 细节已通知厂商并且等待厂商处理中
2016-04-21: 厂商已经确认,细节仅向厂商公开
2016-05-01: 细节向核心白帽子及相关领域专家公开
2016-05-11: 细节向普通白帽子公开
2016-05-21: 细节向实习白帽子公开
2016-06-05: 细节向公众公开

简要描述:

同花顺某交易服务器存在心脏滴血漏洞,包含交易信息和用户凭证

详细说明:

服务器:
https://etrade.10jqka.com.cn
http://183.131.12.195/

.............................................0.......................listen..80..server_name..cso6.10jqka.com.cn..access_log..logs/cso.access.log..main......p*..............8................q.......t......................................h......................................................................./usr/local/nginx/logs/cso.access.log.error_log..logs/cso.error.log..notice...............t....................................................................../usr/local/nginx/logs/cso.error.log.root../var/www/cso/www..location.m\\.html$.de`|...............+......8-......./......................./.......0...... 0......P0......`0.......0...............................0......81...............1.......5......88......0;.......=..............X1................


userid=81490232; u_name=lfwaj; escapename=lfwaj; ticket=03592219f02b9f0ba35f0f739912e8fc; @#!userid!#@=81490232...........U`{0...v...F..............0NTkzMTMzOTQ6OjoxMjY4OTYyMDIwOjIyNzQwNjow; userid=81490232; u_name=lfwaj; escapename=lfwaj; ticket=03592219f02b9f0ba35f0f739912e8fc; @#!userid!#@=81490232.....%\".N...[.7j.!}....r......I6MTQ1OTI5MjAyNzo6OjEyODE3MDg3MjA6MjI3MTczOjA%3D; userid=88555752; u_name=hchg102; escapename=hchg102; ticket=de50dbbbfa96e070edcdd919929f6e6b; pid588886022=61755281; pid588886569=61757153; pid588870065=61742895; pid588887087=61761640; pid588894114=61783893; hxmPid=seq_588894114..X-Requested-With: com.hexin.plat.android..If-None-Match: \"568f9f47-1e36\"..If-Modified-Since: Fri, 08 Jan 2016 11:36:39 GMT........P.$.rE\"X......#....... u(.>.`(C..-V.....3............Jan 2016 11:36:37 GMT....|XQ/u....IU....9.0_\"...........Ph...m..om.hexin.plat.android....V{...6..2=6..-...d.....zOzY5LDExMTExMTExMTExMTExMTExMTExMTExMSw1Mzs3MSwxMTExMTExMTExMTExMTExMTExMTAwMDAsNTM7NzIsMSw1Mzs3MywxMTExLDUzOzc0LDEsNTM7NzUsMSw1Mzs3NiwxMSw1Mzs3NywxMTExMTEsNTM7NzgsMSw1Mzs3OSwwMTExLDUzOjE2Ojo6MTk0MzU1ODMxOjE0NTgxNzgwODk6OjoxNDA4Njg1NjQwOjIyODcxMTow; userid=194355831; u_name=mx_194355831; escapename=mx_194355831; ticket=ac3dadf2328a37524f58d1bacf9cfedb..X-Requested-With: com.hexin.plat.android......th..f...t.U..C.|.k............................ ...............@...............

漏洞证明:

证明:
https://etrade.10jqka.com.cn/mobile/tpl.php?id=24718192_1459319786_4_52112

10jqka.png

修复方案:

更新补丁

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2016-04-21 10:49

厂商回复:

你好,漏洞已确认,正在进行修复,谢谢。

最新状态:

暂无