当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0128817

漏洞标题:威锋某系统重要信息泄露

相关厂商:weiphone

漏洞作者: 路人甲

提交时间:2015-07-23 23:57

修复时间:2015-09-07 10:38

公开时间:2015-09-07 10:38

漏洞类型:敏感信息泄露

危害等级:中

自评Rank:10

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-07-23: 细节已通知厂商并且等待厂商处理中
2015-07-24: 厂商已经确认,细节仅向厂商公开
2015-08-03: 细节向核心白帽子及相关领域专家公开
2015-08-13: 细节向普通白帽子公开
2015-08-23: 细节向实习白帽子公开
2015-09-07: 细节向公众公开

简要描述:

威锋某系统重要信息泄露

详细说明:

备份文件导致ROOT密码泄露

漏洞证明:

http://editor.feng.com/config.php.bak

<?php
$db_config['db_driver'] = 'db'; //db,adodb,mdb
$db_config['db_type'] = 'mysql'; //mysql,mssql,oracle
$db_config['db_host'] = 'localhost:3306'; //数据库主机
$db_config['db_user'] = 'root'; //数据库用户名
$db_config['db_password'] = 'cididc_yp106520921'; //数据库用户密码
$db_config['db_name'] = 'editor_naivix_com'; //数据库名
$db_config['table_pre'] = 'cmsware_'; //CMS表名前缀
$db_config['db_charset'] = 'utf8'; //数据库字符集 latin1,utf8,utf8...
$SYS_CONFIG['enable_validcode'] = 0; //是否开启登陆图形验证码. 1-开启,0-关闭
$SYS_CONFIG['language'] = 'utf8-zh'; //系统语言
$SYS_CONFIG['ftp_mode'] = 0 ; //系统运行在FTP模式,1-是,0-否
$SYS_CONFIG['ftp_host'] = 'cmsware'; //FTP主机地址
$SYS_CONFIG['ftp_port'] = '21'; //FTP服务器端口
$SYS_CONFIG['ftp_username'] = 'cms'; //FTP用户名
$SYS_CONFIG['ftp_password'] = 'cms'; //FTP密码
$SYS_CONFIG['ftp_cms_admin_path'] = ''; //CMS管理目录相对FTP根目录的路径
$SYS_CONFIG['dir_mode'] = 0777; //系统创建目录的默认权限
$SYS_CONFIG['file_mode'] = 0777; //系统创建文件的默认权限
$SYS_CONFIG['error_reporting'] = 'html'; //系统报错模式 file,html,js
$SYS_CONFIG['tpl_error_display'] = true; //是否在最终页面显示报错信息 true, false
$SYS_CONFIG['admin_dir_name'] = 'admin'; //管理入口目录名
//--------------------------------以下部分请不要修改--------------------------//
$db_config['table_content_pre'] = 'content';
$db_config['table_contribution_pre'] = 'contribution';
$db_config['table_collection_pre'] = 'collection';
$db_config['table_publish_pre'] = 'publish';
$lang_user = 'lang_user';
$lang_admin = 'lang_admin';
$SYS_DEBUG = true;
class table {
var $sys;
var $user;
var $group;
var $admin_sessions;
var $sessions;
var $site;
var $cate;
var $content_fields;
var $content_index;
var $content_table;
var $psn;
var $resource;
var $publish_log;
var $collection_cate;
var $collection_rules;
var $tasks;
var $contribution;
var $resource_ref;
var $workflow;
var $workflow_state;
var $workflow_record ;
var $log_admin;
var $log_login ;
var $block_ip;
var $contribution_note;

var $keywords;
var $pubadminmasks;
var $plugins;
var $tpl_vars;
var $tpl_cate;
var $tpl_data;
function table()
{
global $db_config;
$this->sys = $db_config['table_pre'].'sys';
$this->user = $db_config['table_pre'].'user';
$this->group = $db_config['table_pre'].'group';
$this->admin_sessions = $db_config['table_pre'].'admin_sessions';
$this->sessions = $db_config['table_pre'].'sessions';
$this->site = $db_config['table_pre'].'site';
$this->content_fields = $db_config['table_pre'].'content_fields';
$this->content_index = $db_config['table_pre'].'content_index';
$this->content_table = $db_config['table_pre'].'content_table';
$this->psn = $db_config['table_pre'].'psn';
$this->resource = $db_config['table_pre'].'resource';
$this->publish_log = $db_config['table_pre'].'publish_log';
$this->collection_cate = $db_config['table_pre'].'collection_category';
$this->collection_rules = $db_config['table_pre'].'collection_rules';
$this->tasks = $db_config['table_pre'].'tasks';
$this->cate = $db_config['table_pre'].'category';
$this->contribution = $db_config['table_pre'].'contribution';
$this->contribution_note = $db_config['table_pre'].'contribution_note';

$this->keywords = $db_config['table_pre'].'keywords';
$this->pubadminmasks = $db_config['table_pre'].'pubadminmasks';
$this->plugins = $db_config['table_pre'].'plugins';
$this->tpl_vars = $db_config['table_pre'].'tpl_vars';
$this->resource_ref = $db_config['table_pre'].'resource_ref';

$this->workflow = $db_config['table_pre'].'workflow';
$this->workflow_state = $db_config['table_pre'].'workflow_state';
$this->workflow_record = $db_config['table_pre'].'workflow_record';

$this->log_login = $db_config['table_pre'].'log_login';
$this->log_admin = $db_config['table_pre'].'log_admin';
$this->block_ip = $db_config['table_pre'].'block_ip';

$this->tpl_cate = $db_config['table_pre'].'tpl_cate';
$this->tpl_data = $db_config['table_pre'].'tpl_data';
$this->tpl_block = $db_config['table_pre'].'tpl_block';
$this->extra_publish = $db_config['table_pre'].'extra_publish';
$this->node_fields = $db_config['table_pre'].'node_fields';
}
}
$table=new table();
define("TPL_Error_Display", $SYS_CONFIG['tpl_error_display']);
define("ADMIN_NAME", $SYS_CONFIG['admin_dir_name']);
?>

修复方案:

删之

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:低

漏洞Rank:4

确认时间:2015-07-24 10:36

厂商回复:

谢谢提醒

最新状态:

暂无