当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2011-01955

漏洞标题:苏宁易购APACHE服务器性能统计

相关厂商:苏宁易购

漏洞作者: 路人甲

提交时间:2011-04-22 15:55

修复时间:2011-04-22 16:05

公开时间:2011-04-22 16:05

漏洞类型:系统/服务运维配置不当

危害等级:低

自评Rank:3

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2011-04-22: 积极联系厂商并且等待厂商认领中,细节不对外公开
2011-04-22: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

对APACHE统计性能和链接统计没有加密

详细说明:

对APACHE统计目录进行限定内网访问并设置密码

漏洞证明:

pache Server Status for www.suning.cn
Server Version: IBM_HTTP_Server/6.0.2.29 Apache/2.0.47 (Unix)
Server Built: Apr 28 2008 20:32:24
Current Time: Friday, 22-Apr-2011 15:46:01 CST
Restart Time: Thursday, 21-Apr-2011 16:06:39 CST
Parent Server Generation: 0
Server uptime: 23 hours 39 minutes 22 seconds
Total accesses: 6237455 - Total Traffic: 67.3 GB
CPU Usage: u1136.44 s138.87 cu0 cs0 - 1.5% CPU load
73.2 requests/sec - 0.8 MB/second - 11.3 kB/request
616 requests currently being processed, 684 idle workers
KW__WW_WW____KKW__K__KW__WK_KWWK__K__K___WWWWWKWW__W__K_WW__W___
_W_W___W_WW__WW_WW___KKKK__W_WW___W_............................
................................................................
........__K___K_WW_W__WK__W___K_WK_W___W__CWK_WKKKWWWKW_WWW__KKW
___K_WW___W_K_KW___K_K__WWK_K__WWWWWK__K_WWKW_WK__WK_K___K____WW
_KKWWW___W_W_W_W_WWW______K_W__K_KK____W_______K__KKK_W____WKW_K
KWW___W___KW____WW_WWWW_KW__W_____WKW_W__W__W__K_W___WKWK___KK__
W__KW__WW_KK_KKW___W____________KK_KKWK____KWW__K__W__W_WKWK_W__
_W____W_K_WWKKWK_WW_K_KK__WW___W_WW__WW___WW__W__W_WW__K___WKW__
KW____W__WK___WW_KWWK__WC____W_____WWWK_____W_____W_W_WW_______W
W__WW___WW_KKKWWWK___W______WWWW__WWK_K__K__WW___W___KWC_WK____W
K__W___WKW___WW_WWK_KKK__KWWKK___W__K_KW______W_W_WWWWK___W__K__
_K______W_K_K_K__WWW__K__W_WWW__K__K_KWW____WWK__W_K__W_K_WW__KW
W_W_WW_____W__W_KWWWW__K__W___W_WCW______W__WWK_WW_W__WK_WWW_W__
_W_WW_WWKW_W_____WWKWKW_WWW___WKKKW_K___K_W_WW_WK_WWKWWWKWWW____
_KWK_WW____K__W_WW__WWWK___K__W_____W_W____WKK_W_KW_K__WKK_W____
_KW_K__WW_W_KW_KK_W_WWW_W__K_____W_K____W___K__W____K__WKK____WW
_____WW___WWW__KWWKWWW___W_K__KK___W____K__KKW____K_KW____W____K
__K_W___WK____WWK__W___W______K___KK__WKK__KWW__................
................................................................
....................___WKWWWW_KKW_WWW_K_WWK_WWW__W_W_WW__W___KWW
_W__WKW__WWKKK__WK___WWW_W_KKK_WW__W__W_W_W__WW____KKKKWK__W_WW_
W____KWWW__KW_W_K__W_K__W_KW_W____KW__WW_K_WKW_WW_W__WWW_______K
____W__WW_WWW___W_KW_W___WWK....................................
................................................................
................................................................
................................................................
................................................................
................................................................
................................................................
................................................................
................
Scoreboard Key:
"_" Waiting for Connection, "S" Starting up, "R" Reading Request,
"W" Sending Reply, "K" Keepalive (read), "D" DNS Lookup,
"C" Closing connection, "L" Logging, "G" Gracefully finishing,
"I" Idle cleanup of worker, "." Open slot with no current process
Srv PID Acc M CPU SS Req Conn Child Slot Client VHost Request
0-0 12262 11/195/7704 K 107.78 0 5 31.2 1.67 87.47 180.153.136.206 newwebserver08.cnsuning.com GET /webapp/wcs/stores/servlet/SNLogonStatusViewV4?storeId=1005
0-0 12262 9/302/7798 W 107.37 9 0 103.2 2.80 89.05 122.70.142.49 newwebserver08.cnsuning.com GET /webapp/wcs/stores/prdprice/30704_9173_10052_2-3.png HTTP/1
0-0 12262 0/228/7454 _ 107.03 8 711 0.0 3.89 90.64 192.168.112.154 newwebserver08.cnsuning.com GET /wcsstore/ConsumerDirectStorefrontAssetStore/images/nrgl/cp
0-0 12262 0/310/8418 _ 107.36 14 61 0.0 3.23 100.47 110.81.238.59 newwebserver08.cnsuning.com GET /webapp/wcs/stores/prdprice/207601_9075_10052_2-3.png HTTP/
0-0 12262 2/216/7487 W 107.64 6 0 0.5 2.28 84.90 219.153.18.83 newwebserver08.cnsuning.com GET /webapp/wcs/stores/prdprice/196583_9325_10052_5000_4-0.png
0-0 12262 12/273/8326 W 107.78 0 0 38.8 2.02 100.95 123.103.14.229 newwebserver08.cnsuning.com GET /?utm_source=baidu&utm_medium=cpc&utm_term=%E8%8B%8F%E5%AE%
0-0 12262 0/169/7494 _ 106.84 19 133 0.0 3.41 88.79 61.147.122.45 newwebserver08.cnsuning.com GET /webapp/wcs/stores/servlet/tcd_10052__9174_.html?catalogId=
0-0 12262 2/254/8132 W 106.54 27 0 57.8 2.44 89.07 61.147.122.45 newwebserver08.cnsuning.com GET /webapp/wcs/stores/servlet/SNUserRegisterView?storeId=10052
0-0 12262 16/331/8263 W 107.75 2 0 83.5 3.93 103.25 121.14.35.232 newwebserver08.cnsuning.com GET /webapp/wcs/stores/prdprice/76111_9173_10052_2-0.png HTTP/1
0-0 12262 0/286/8325 _ 106.62 14 0 0.0 4.93 87.44 192.168.112.154 newwebserver08.cnsuning.com GET /wcsstore/ConsumerDirectStorefrontAssetStore/css/style03New
0-0 12262 0/306/8058 _ 106.62 16 23 0.0 2.85 82.59 60.28.9.36 newwebserver08.cnsuning.com GET /webapp/wcs/stores/servlet/ HTTP/1.1
0-0 12262 0/320/8501 _ 107.46 10 25 0.0 3.33 87.38 192.168.112.154 script.suning.cn GET /css/style410/images/main_0410.gif HTTP/1.1
0-0 12262 0/335/8592 _ 106.59 16 5 0.0 3.23 100.63 192.168.112.154 image1.suning.cn GET /content/catentries/00000000010140/000000000101404059/00000
0-0 12262 1/280/7999 K 107.46 9 11 0.0 2.78 87.81 192.168.112.154 newwebserver08.cnsuning.com GET /webapp/wcs/stores/servlet/ HTTP/1.1
0-0 12262 2/313/8469 K 107.64 6 3 24.1 2.69 91.93 192.168.112.154 newwebserver08.cnsuning.com GET /webapp/wcs/stores/servlet/SNLogonStatusView?storeId=10052&
0-0 12262 4/284/8330 W 107.67 4 0 1.6 3.51 88.23 60.28.9.54 newwebserver08.cnsuning.com GET /webapp/wcs/stores/prdprice/248580_9264_10052_1.png HTTP/1.
0-0 12262 0/270/8196 _ 106.91 20 0 0.0 4.01 96.98 202.100.92.216 newwebserver08.cnsuning.com GET /wcsstore/ConsumerDirectStorefrontAssetStore/javascript/js_
0-0 12262 0/262/8171 _ 107.37 12 24025 0.0 2.95 91.32 124.228.175.45 newwebserver08.cnsuning.com GET /webapp/wcs/stores/servlet/ HTTP/1.1
0-0 12262 2/187/8157 K 107.67 5 7 25.0 2.70 84.24 192.168.112.154 newwebserver08.cnsuning.com GET /webapp/wcs/stores/servlet/SNLogonStatusView?storeId=10052&
0-0 12262 0/315/8328 _ 107.47 8 14 0.0 2.75 94.83 61.147.122.43 newwebserver08.cnsuning.com GET /webapp/wcs/stores/servlet/ HTTP/1.1
0-0 12262 0/251/8540 _ 107.28 15 0 0.0 2.77 91.96 192.168.112.154 newwebserver08.cnsuning.com GET /wcsstore/ConsumerDirectStorefrontAssetStore/javascript/js_
0-0 12262 1/280/8038 K 107.81 0 180 0.3 2.65 97.76 60.170.241.37 newwebserver08.cnsuning.com GET /webapp/wcs/stores/servlet/snkwvw_10052_10051__276109_.html
0-0 12262 2/280/7936 W 107.29 15 0 57.8 3.03 92.17 61.147.122.45 newwebserver08.cnsuning.com GET /webapp/wcs/stores/ValidateCode HTTP/1.1
0-0 12262 0/191/7729 _ 106.45 20 51 0.0 2.59 85.43 61.174.60.103 image1.suning.cn GET /content/catentries/00000000010020/000000000100200754/fulli
0-0 12262 0/337/7737 _ 107.55 7 5 0.0 3.56 83.45 61.174.63.242 newwebserver08.cnsuning.com GET /webapp/wcs/stores/servlet/AjaxRegView?email=ml.xu@bodapack
0-0 12262 1/241/8158 W 107.81 0 0 25.2 2.38 91.78 113.107.96.175 newwebserver08.cnsuning.com GET /webapp/wcs/stores/servlet/ HTTP/1.1
0-0 12262 8/228/8415 K 107.51 8 35 59.4 1.73 85.68 110.81.238.60 newwebserver08.cnsuning.com GET /webapp/wcs/stores/prdprice/196583_9019_10052_5000_4-0.png
0-0 12262 0/260/8710 _ 107.21 5 0 0.0 2.24 88.25 192.168.112.154 image1.suning.cn GET /images/images_index/100100/000000000101414744_index1.jpg H
0-0 12262 1/138/7551 K 107.61 7 7028 2.1 1.59 83.13 192.168.112.154 newwebserver08.cnsuning.com GET /webapp/wcs/stores/servlet/snprdqna_10051_10052_123266_-7_%
0-0 12262 0/233/8165 W 106.19 13 0 0.0 2.51 88.53 121.14.35.229 newwebserver08.cnsuning.com POST /webapp/wcs/stores/servlet/odeSearch?storeId=10052&catalog
0-0 12262 28/279/8015 W 107.46 9 0 90.7 3.09 90.91 218.60.37.193 newwebserver08.cnsuning.com GET /webapp/wcs/stores/servlet/SNBrowseHistoryView?storeId=1005
0-0 12262 2/292/7925 K 107.72 2 16 0.9 2.95 92.42 192.168.112.154 newwebserver08.cnsuning.com GET /webapp/wcs/stores/prdprice/216336_9173_10052_1.png HTTP/1.
0-0 12262 0/295/7967 _ 107.66 1 43 0.0 4.22 86.86 202.100.92.216 newwebserver08.cnsuning.com GET /webapp/wcs/stores/servlet/LogonForm?storeId=10052&catalogI
0-0 12262 0/269/8072 _ 106.48 17 0 0.0 3.63 89.05 192.168.112.154 newwebserver08.cnsuning.com GET /wcsstore/ConsumerDirectStorefrontAssetStore/css/style04/im
0-0 12262 2/227/7726 K 107.78 0 0 7.0 2.46 91.35 61.147.122.45 newwebserver08.cnsuning.com GET /wcsstore/ConsumerDirectStorefrontAssetStore/css/css_user/d
0-0 12262 0/307/7977 _ 107.67 4 226 0.0 3.88 84.84 192.168.112.154 newwebserver08.cnsuning.com GET /webapp/wcs/stores/temp/home/ad01.jpg HTTP/1.1
0-0 12262 0/301/7979 _ 106.87 20 37 0.0 3.08 88.82 220.181.93.7 newwebserver08.cnsuning.com GET /webapp/wcs/stores/servlet/snmemtest_10051_10052_216115_-7_
0-0 12262 3/291/8307 K 107.72 2 7 2.0 2.72 92.40 61.174.63.219 newwebserver08.cnsuning.com GET /webapp/wcs/stores/servlet/ HTTP/1.1
0-0 12262 0/273/9019 _ 106.39 22 4 0.0 3.89 113.06 60.2.251.205 newwebserver08.cnsuning.com GET /webapp/wcs/stores/servlet/SNLogonStatusView?storeId=10052&
0-0 12262 0/270/7623 _ 106.45 20 10762 0.0 2.13 90.46 202.100.92.216 newwebserver08.cnsuning.com GET /webapp/wcs/stores/servlet/LogonForm?catalogId=10051&storeI
0-0 12262 0/340/8374 _ 106.84 22 43609 0.0 3.30 86.57 123.103.14.229 newwebserver08.cnsuning.com GET /webapp/wcs/stores/servlet/SNSmartActivityView?storeId=1005
0-0 12262 7/282/8370 W 99.09 184 0 5.8 3.00 90.05 124.228.175.45 newwebserver08.cnsuning.com GET /webapp/wcs/stores/servlet/ODESearch?langId=-7&storeId=1005
0-0 12262 0/329/7810 W 100.38 123 0 0.0 2.81 91.03 110.81.238.59 newwebserver08.cnsuning.com POST /webapp/wcs/stores/servlet/ODESearch?langId=-7&storeId=100
0-0 12262 6/301/8134 W 106.94 17 0 3.5 3.76 100.88 121.14.35

修复方案:

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝

漏洞Rank:5 (WooYun评价)