当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-078567

漏洞标题:IT168多个某分站SVN信息泄漏(包含多个DB连接密码)

相关厂商:IT168.com

漏洞作者: Eoh

提交时间:2014-10-07 19:39

修复时间:2014-10-13 09:36

公开时间:2014-10-13 09:36

漏洞类型:应用配置错误

危害等级:高

自评Rank:20

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-10-07: 细节已通知厂商并且等待厂商处理中
2014-10-13: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

详细说明:

http://amoi.it168.com/.svn/entries
http://apple.it168.com/.svn/entries
http://gphone.it168.com/.svn/entries

漏洞证明:

Repository URL: http://svn.corp.it168.com/ITS/branches/release1.3/code/frontend
Repository files/directories:
<dir> notice/
<dir> images/
<dir> css/
<dir> ws/
<dir> WEB-APP/
<dir> js/
favicon.ico
Repository users:
gaoyuan


路径: WEB-APP - config - cron.php
<?php
//----------------------- ITS 建索引cron数据库配置 ---------------------//
//----------------------------------------------------------------------//
//调试模式默认为假
$GLOBALS['APP_DEBUG'] = false;
/**
* 配置说明:
* $cfg[$type][$site] 二维数组,$type表示搜索类型(bbs,article,image,ask..),$site表示哪个站点
* -------------------------------------------
* dbtype -- 数据库类型(mysql,mssql..)
* dbtypeSqlHelper -- 生成SQL语句助手
* host -- 数据库服务器的IP地址,
* port -- 数据库服务器的I端口
* user -- 数据库用户名
* pass -- 数据库用户的密码
* dbname -- 数据库名称
* table -- 数据来源这个表(说明,Discuz需要多表联合查询,直接写到类里面)
* startKey -- 索引字段,可能需要直接的sql语句...
* charset -- 连接字符集,可不设置
* dbUnique -- 数据库来源的唯一标示
* apiName -- '/apiName' 等同于 $solrPath[$type]
* rowNum -- 每次查询数据行数
* 以上两个字段组成一个数据映射类处理数据库字段到Solr服务字段的关系
*/
//------- 各论坛(有问必答)的数据库配置-------//
$cfg['bbs']['macos.it168.com'] = array(
'dbtype' => 'mysql',
'host' => '61.55.167.190',
'port' => '3306',
'user' => 'hhy',
'pass' => 'hhy!@##@!',
'dbname' => 'macos',
'table' => 'cdb_threads',
'startKey' => 'tid',
'dbUnique' => 'bbs',
'apiName' => 'bbs',
'rowNum' => 100
);
$cfg['bbs']['oaweixiu.it168.com'] = array(
'dbtype' => 'mysql',
'host' => '61.55.167.190',
'port' => '3306',
'user' => 'hhy',
'pass' => 'hhy!@##@!',
'dbname' => 'oaweixiu',
'table' => 'cdb_threads',
'startKey' => 'tid',
'dbUnique' => 'bbs',
'apiName' => 'bbs',
'rowNum' => 100
);
$cfg['bbs']['photobbs.it168.com'] = array(
'dbtype' => 'mysql',
'host' => '61.55.167.190',
'port' => '3306',
'user' => 'hhy',
'pass' => 'hhy!@##@!',
'dbname' => 'photobbs',
'table' => 'cdb_threads',
'startKey' => 'tid',
'dbUnique' => 'bbs',
'apiName' => 'bbs',
'rowNum' => 100
);
$cfg['bbs']['softbbs.it168.com'] = array(
'dbtype' => 'mysql',
'host' => '61.55.167.190',
'port' => '3306',
'user' => 'hhy',
'pass' => 'hhy!@##@!',
'dbname' => 'softbb',
'table' => 'cdb_threads',
'startKey' => 'tid',
'dbUnique' => 'bbs',
'apiName' => 'bbs',
'rowNum' => 100
);
$cfg['bbs']['amoi.it168.com'] = array(
'dbtype' => 'mysql',
'host' => '61.55.167.193',
'port' => '3306',
'user' => 'hhy',
'pass' => 'hhy!@##@!',
'dbname' => 'amoibbs',
'table' => 'cdb_threads',
'startKey' => 'tid',
'dbUnique' => 'bbs',
'apiName' => 'bbs',
'rowNum' => 100
);
$cfg['bbs']['anycall.it168.com'] = array(
'dbtype' => 'mysql',
'host' => '61.55.167.193',
'port' => '3306',
'user' => 'hhy',
'pass' => 'hhy!@##@!',
'dbname' => 'anycall',
'table' => 'cdb_threads',
'startKey' => 'tid',
'dbUnique' => 'bbs',
'apiName' => 'bbs',
'rowNum' => 100
);
$cfg['bbs']['benyouhui.it168.com'] = array(
'dbtype' => 'mysql',
'host' => '61.55.167.191',
'port' => '3306',
'user' => 'hhy',
'pass' => 'hhy!@##@!',
'dbname' => 'benyouhui',
'table' => 'cdb_threads',
'startKey' => 'tid',
'dbUnique' => 'bbs',
'apiName' => 'bbs',
'rowNum' => 100
);
$cfg['bbs']['ce.it168.com'] = array(
'dbtype' => 'mysql',
'host' => '61.55.167.190',
'port' => '3306',
'user' => 'hhy',
'pass' => 'hhy!@##@!',
'dbname' => 'cebbs',
'table' => 'cdb_threads',
'startKey' => 'tid',
'dbUnique' => 'bbs',
'apiName' => 'bbs',
'rowNum' => 100
);
$cfg['bbs']['tianyi.it168.com'] = array(
'dbtype' => 'mysql',
'host' => '61.55.167.191',
'port' => '3306',
'user' => 'hhy',
'pass' => 'hhy!@##@!',
'dbname' => 'ypg',
'table' => 'cdb_threads',
'startKey' => 'tid',
'dbUnique' => 'bbs',
'apiName' => 'bbs',
'rowNum' => 100
);
$cfg['bbs']['diybbs.it168.com'] = array(
'dbtype' => 'mysql',
'host' => '61.55.167.144',
'port' => '3306',
'user' => 'hhy',
'pass' => 'hhy!@##@!',
'dbname' => 'diybbs',
'table' => 'cdb_threads',
'startKey' => 'tid',
'dbUnique' => 'bbs',
'apiName' => 'bbs',
'rowNum' => 100
);
$cfg['bbs']['moto.it168.com'] = array(
'dbtype' => 'mysql',
'host' => '61.55.167.144',
'port' => '3306',
'user' => 'hhy',
'pass' => 'hhy!@##@!',
'dbname' => 'moto',
'table' => 'cdb_threads',
'startKey' => 'tid',
'dbUnique' => 'bbs',
'apiName' => 'bbs',
'rowNum' => 100
);
$cfg['bbs']['sebbs.it168.com'] = array(
'dbtype' => 'mysql',
'host' => '61.55.167.192',
'port' => '3306',
'user' => 'hhy',
'pass' => 'hhy!@##@!',
'dbname' => 'sebbs',
'table' => 'cdb_threads',
'startKey' => 'tid',
'dbUnique' => 'bbs',
'apiName' => 'bbs',
'rowNum' => 100
);
$cfg['bbs']['nokia.it168.com'] = array(
'dbtype' => 'mysql',
'host' => '61.55.167.193',
'port' => '3306',
'user' => 'hhy',
'pass' => 'hhy!@##@!',
'dbname' => 'nokiabbs',
'table' => 'cdb_threads',
'startKey' => 'tid',
'dbUnique' => 'bbs',
'apiName' => 'bbs',
'rowNum' => 100
);
//------------------文章------------------//
//新文章表
$cfg['article']['cms.it168.com'] = array(
'dbtype' => 'mssql',
'dbtypeSqlHelper' =>'cmsArticle',
'host' => '61.55.167.70',
'port' => '1433',
'user' => 'User_App_TRS',
'pass' => 'YJDqL/g$/nuWsU4',
'dbname' => 'cms_trs',
'table' => 'view_cms_trs',
'startKey' => 'ID',
'dbUnique' => 'cms',
'apiName' => 'article',
'rowNum' => 100
);
//旧文章视图,大概有70W条数据
$cfg['article']['cmsview.it168.com'] = array(
'dbtype' => 'mssql',
'dbtypeSqlHelper' =>'cmsview',
'host' => '202.106.124.15',
'port' => '1433',
'user' => 'user_app_cmsdbquery',
'pass' => 'B!.0BD02?FA0F5B9',
'dbname' => 'CMSDBQuery',
'table' => 'view_Article_For_Search',
'startKey'=> 'cDoc_id',
'dbUnique'=> 'cmsview',
'apiName' => 'article',
'rowNum' => 100
);
//------------------图片-----------------//
$cfg['image']['product.it168.com'] = array(
'dbtype' => 'mssql',
'host' => '202.106.124.15',
'port' => '1433',
'user' => 'User_App_reader',
'pass' => '8613sg12s3j8Bz',
'dbname' => 'Product',
'table' => 'view_picture',
'startKey'=> 'cBig_Pic_Id',
'dbUnique'=> 'product',
'apiName' => 'image',
'rowNum' => 100
);
$cfg['image']['video.it168.com'] = array(
'dbtype' => 'mssql',
'host' => '202.106.124.15',
'port' => '1433',
'user' => 'User_App_reader',
'pass' => '8613sg12s3j8Bz',
'dbname' => 'Product',
'table' => 'view_shipin',
'startKey'=> 'iID',
'dbUnique'=> 'video',
'apiName' => 'image',
'rowNum' => 100
);
//可以接受任意字符开头的resource:)
$cfg['image']['3d.it168.com'] = array(
'dbtype' => 'mssql',
'host' => '202.106.124.15',
'port' => '1433',
'user' => 'User_App_reader',
'pass' => '8613sg12s3j8Bz',
'dbname' => 'Product',
'table' => 'view_quangjing',
'startKey'=> 'cSpace_Code',
'dbUnique'=> '3d',
'apiName' => 'image',
'rowNum' => 100
);
//------------------经销商------------------//
$cfg['dealer']['dealer.it168.com'] = array(
'dbtype' => 'mssql',
'host' => '58.83.162.8',
'port' => '1681',
'user' => 'User_App_business',
'pass' => '4am2dB9jE7J888',
'dbname' => 'business',
'table' => 'tbl_dealer_trs2',
'startKey'=> 'dealerId', //新加的唯一键
'dbUnique'=> 'dealer',
'apiName' => 'dealer',
'rowNum' => 100
);
$cfg['dealerPro']['dealerPro.it168.com'] = array(
'dbtype' => 'mssql',
'host' => '58.83.162.8',
'port' => '1681',
'user' => 'User_App_business',
'pass' => '4am2dB9jE7J888',
'dbname' => 'business',
'table' => 'tbl_dealer_trs3',
'startKey'=> 'dealerId', //新加的唯一键
'dbUnique'=> 'dealerPro',
'apiName' => 'dealerPro',
'rowNum' => 100
);
$cfg['dealerBrand']['dealerBrand.it168.com'] = array(
'dbtype' => 'mssql',
'host' => '58.83.162.8',
'port' => '1681',
'user' => 'User_App_business',
'pass' => '4am2dB9jE7J888',
'dbname' => 'Product',
'table' => 'viw_R_space_type_brand',
'startKey'=> 'id', //新加的唯一键
'dbUnique'=> 'dealerBrand',
'apiName' => 'dealerBrand',
'rowNum' => 100
);
//------------------产品库------------------//
$cfg['product']['product.it168.com'] = array(
'dbtype' => 'mssql',
'host' => '10.168.0.21',
'port' => '1433',
'user' => 'sa',
'pass' => 'd',
'dbname' => 'it168query',
'table' => 'view_Product_sou',
'startKey' => 'cSpace_Code',
'dbUnique' => 'product',
'apiName' => 'product',
'rowNum' => 100
);
$cfg['autoProduct']['autoProduct.it168.com'] = array(
'dbtype' => 'mssql',
'host' => '192.168.1.6',
'port' => '1433',
'user' => 'sou_read_user',
'pass' => 'CBF9D2C0EFFD',
'dbname' => 'POP_ProductInfo',
'table' => 'PhpGroup_SearchProduct',
'startKey' => 'F_ProductSN',
'dbUnique' => 'autoProduct',
'apiName' => 'autoProduct',
'rowNum' => 100
);
$cfg['autoProduct']['categoryBrand.it168.com'] = array(
'dbtype' => 'mssql',
'host' => '192.168.1.6',
'port' => '1433',
'user' => 'sou_read_user',
'pass' => 'CBF9D2C0EFFD',
'dbname' => 'POP_ProductInfo',
'table' => 'PhpGroup_SearchBrand',
'startKey' => 'ID',
'dbUnique' => 'categoryBrand',
'apiName' => 'autoProduct',
'rowNum' => 100
);
$cfg['autoProduct']['category.it168.com'] = array(
'dbtype' => 'mssql',
'host' => '192.168.1.6',
'port' => '1433',
'user' => 'sou_read_user',
'pass' => 'CBF9D2C0EFFD',
'dbname' => 'POP_ProductInfo',
'table' => 'PhpGroup_SearchSubCategory',
'startKey' => 'F_SubCategorySN',
'dbUnique' => 'category',
'apiName' => 'autoProduct',
'rowNum' => 100
);
//it168产品自动完成配置
$cfg['autoProduct']['product.it168.com'] = array(
'dbtype' => 'mssql',
'host' => '192.168.1.154',
'port' => '1433',
'user' => 'user_app_sps2009db',
'pass' => '9565EA73F9F0D4C5',
'dbname' => 'it168query',
'table' => 'view_Product_sou',
'startKey' => 'cSpace_Code',
'dbUnique' => 'product',
'apiName' => 'autoProduct',
'rowNum' => 100
);
$cfg['autoProduct']['type.it168.com'] = array(
'dbtype' => 'mssql',
'host' => '192.168.1.154',
'port' => '1433',
'user' => 'user_app_sps2009db',
'pass' => '9565EA73F9F0D4C5',
'dbname' => 'it168query',
'table' => 'ProductSubCategory',
'startKey' => 'SubCategorySN',
'dbUnique' => 'type',
'apiName' => 'autoProduct',
'rowNum' => 100
);
$cfg['autoProduct']['typeBrand.it168.com'] = array(
'dbtype' => 'mssql',
'host' => '192.168.1.154',
'port' => '1433',
'user' => 'user_app_sps2009db',
'pass' => '9565EA73F9F0D4C5',
'dbname' => 'it168query',
'table' => 'View_CategoryBrand',
'startKey' => 'typeBrand',
'dbUnique' => 'typeBrand',
'apiName' => 'autoProduct',
'rowNum' => 100
);
//拼写检查
$cfg['spellCheck']['product.it168.com'] = array(
'dbtype' => 'mssql',
'host' => '192.168.1.154',
'port' => '1433',
'user' => 'user_app_sps2009db',
'pass' => '9565EA73F9F0D4C5',
'dbname' => 'IT168Query',
'table' => 'ForSearchInfo',
'startKey' => 'ID',
'dbUnique' => 'product',
'apiName' => 'spellCheck',
'rowNum' => 100
);
//自动提示
$cfg['autoSuggest']['shopProduct.it168.com'] = array(
'dbtype' => 'mssql',
'host' => '10.168.0.144',
'port' => '1433',
'user' => 'sa',
'pass' => '134679',
'dbname' => 'ebussiness',
'table' => 'admi_product',
'startKey' => 'pro_id',
'dbUnique' => 'shopProduct',
'apiName' => 'autoSuggest',
'rowNum' => 100
);
//------------------关键字(keyword)------------------//
$cfg['keyword']['keyword.it168.com'] = array(
'dbtype' => 'mssql',
'host' => '58.83.162.7',
'port' => '1085',
'user' => 'user_reader_new',
'pass' => 'IUL3456ner*erD',
'dbname' => 'CMSDB',
'table' => 'keywordlist',
'startKey' => 'Id',
'dbUnique' => 'keyword',
'apiName' => 'keyword',
'rowNum' => 100
);
//----------------软件及驱动(Soft)-------------------//
$cfg['soft']['soft.it168.com'] = array(
'dbtype' => 'mssql',
'host' => '202.99.120.118',
'port' => '1433',
'user' => 'User_App_Read',
'pass' => 'IOnir345*sruYTQ',
'dbname' => 'Resource',
'table' => 'View_Read_resource',
'startKey' => 'resourceid',
'dbUnique' => 'soft',
'apiName' => 'soft',
'rowNum' => 100
);
$cfg['soft']['driver.it168.com'] = array(
'dbtype' => 'mssql',
'host' => '202.99.120.116',
'port' => '1433',
'user' => 'user_reader',
'pass' => 'U345()23k.oy*Uiper',
'dbname' => 'download',
'table' => 'view_driver',
'startKey' => 'iDriver_ID',
'dbUnique' => 'driver',
'apiName' => 'soft',
'rowNum' => 100
);
//----------------说明书(manual)-------------------//
$cfg['manual']['manual.it168.com'] = array(
'dbtype' => 'mssql',
'host' => '202.106.124.15',
'port' => '1433',
'user' => 'User_App_reader',
'pass' => '8613sg12s3j8Bz',
'dbname' => 'Product',
'table' => 'view_search_guide',
'startKey' => 'Gid',
'dbUnique' => 'manual',
'apiName' => 'manual',
'rowNum' => 100
);
//----------------术语(term)-------------------//
$cfg['term']['term.it168.com'] = array(
'dbtype' => 'mssql',
'dbtypeSqlHelper' => 'term',
'host' => '58.83.162.8',
'port' => '1681',
'user' => 'User_App_pinglun_Read',
'pass' => 'UTC*93$xt14Rt',
'dbname' => 'Product',
'table' => 'view_search_word',
'startKey' => 'cWord_id',
'dbUnique' => 'term',
'apiName' => 'term',
'rowNum' => 100
);
//----------------经销商产品(dealerProduct)-------------------//
$cfg['dealerProduct']['dealerProduct.it168.com'] = array(
'dbtype' => 'mssql',
'dbtypeSqlHelper' => 'dealerProduct',
'host' => '10.168.0.91',
'port' => '1433',
'user' => 'sa',
'pass' => 'pcpopsa',
'dbname' => 'Sen_Franchiser',
'table' => 'dbo.Tab_FranchiserPrice_416',
'startKey' => 'dealerProductId',
'dbUnique' => 'dealerProduct',
'apiName' => 'dealerProduct',
'rowNum' => 100
);

修复方案:

删除.svn目录

版权声明:转载请注明来源 Eoh@乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2014-10-13 09:36

厂商回复:

最新状态:

暂无