当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2011-02179

漏洞标题:凤凰网敏感信息泄漏

相关厂商:凤凰网

漏洞作者: 北洋贱队

提交时间:2011-05-26 17:00

修复时间:2011-05-30 12:00

公开时间:2011-05-30 12:00

漏洞类型:敏感信息泄露

危害等级:中

自评Rank:10

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2011-05-26: 细节已通知厂商并且等待厂商处理中
2011-05-30: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

http://jiemu.ifeng.com/platform.xml

详细说明:

敏感信息泄漏

漏洞证明:

<?xml version="1.0" encoding="utf-8" ?>
- <configuration>
- <!-- Database Configuraiton items for database connection string
-->
- <!-- SMS Datbase
-->
- <HZABC_SMSDB>
<add key="ServerName" value="(local)" />
<add key="DatabaseName" value="HZABC_SMSDB" />
</HZABC_SMSDB>
- <!-- UMS Database
-->
- <HZABC_UMSDB>
<add key="ServerName" value="192.168.2.62" />
<add key="DatabaseName" value="IfengEPG" />
<add key="Username" value="ifeng" />
<add key="Password" value="CSa1J39eqxD5+HqOSHRA50MOBj1vQa0bL27eKgnJ4Ok=" />
</HZABC_UMSDB>
- <!-- CMS Database
-->
- <HZABC_CMSDB>
<add key="ServerName" value="192.168.2.62" />
<add key="DatabaseName" value="IfengEPG" />
<add key="Username" value="ifeng" />
<add key="Password" value="CSa1J39eqxD5+HqOSHRA50MOBj1vQa0bL27eKgnJ4Ok=" />
</HZABC_CMSDB>
- <!-- MMS Database
-->
- <HZABC_MMSDB>
<add key="ServerName" value="SVCTAG-GZ2K32X" />
<add key="DatabaseName" value="HZABC_MMSDB" />
<add key="Username" value="HZabcUser" />
<add key="Password" value="CSa1J39eqxAqZ6v56LrWpPUOIwdc4Ts0nX5EatUuwKg=" />
</HZABC_MMSDB>
- <!-- Message Agent Database
-->
- <HZABC_MADB>
<add key="ServerName" value="SVCTAG-GZ2K32X" />
<add key="DatabaseName" value="HZABC_MADB" />
<add key="Username" value="HZabcUser" />
<add key="Password" value="CSa1J39eqxAqZ6v56LrWpPUOIwdc4Ts0nX5EatUuwKg=" />
</HZABC_MADB>
- <!-- DRM Database
-->
- <HZABC_DRMDB>
<add key="ServerName" value="(local)" />
<add key="DatabaseName" value="HZABC_DRMDB" />
</HZABC_DRMDB>
- <!-- BIS Database
-->
- <HZABC_BISDB>
<add key="ServerName" value="(local)" />
<add key="DatabaseName" value="HZABC_BISDB" />
</HZABC_BISDB>
- <!-- PMS Database
-->
- <HZABC_PMSDB>
<add key="ServerName" value="(local)" />
<add key="DatabaseName" value="HZABC_PMSDB" />
</HZABC_PMSDB>
- <!-- Database Configuration end
-->
- <!-- Core Systems Configuration items for remoting accessing
-->
- <!-- UMS system: data access & business rule layer
-->
- <!-- CMS system: data access & business rule layer
-->
<HZABC_CMS />
- <!-- DRM system: data access & business rule layer
-->
<HZABC_DRM />
- <!-- BIS system: data access & business rule layer
-->
<HZABC_BIS />
- <!-- PVR system: data access & business rule layer
-->
<HZABC_PVR />
- <!-- MMS system: data access & business rule layer, 修改后, 重新启动MMS Windows Service 才有效
-->
- <!-- Core Systems Configuration end
-->
- <!-- Service Gateways Configuration for web service accessing
-->
- <HZABC_SubscriberService>
<add key="ServerName" value="localhost" />
<add key="PhysicalDir" value="subscriberservice" />
<add key="VirtualDir" value="subscriberservice" />
<add key="AppPool" value="subscriberservice" />
<add key="UserServiceUrl" value="http://localhost/subscriberservice/userservice.asmx" />
<add key="ContentServiceUrl" value="http://localhost/subscriberservice/contentservice.asmx" />
</HZABC_SubscriberService>
- <HZABC_ManagementService>
<add key="ServerName" value="localhost" />
<add key="PhysicalDir" value="managementservice" />
<add key="VirtualDir" value="managementservice" />
<add key="AppPool" value="managementservice" />
<add key="ServiceUrl" value="http://localhost/ifengepgwebMservice/managementservice.asmx" />
</HZABC_ManagementService>
- <!-- Service Gateway Configuration end
-->
- <!-- Service Web Configuration
-->
- <HZABC_SubscriberWeb>
<add key="ServerName" value="localhost" />
<add key="PhysicalDir" value="subscriberweb" />
<add key="VirtualDir" value="subscriberweb" />
<add key="AppPool" value="subscriberweb" />
<add key="ServiceUrl" value="http://localhost/subscriberweb/default.aspx" />
- <!-- 显示的关键词数目
-->
<add key="QuerywordCount" value="4" />
- <!-- 注册模式: 0,自由注册; 1,通过邀请; 2,都可以
-->
<add key="RegisterMode" value="2" />
</HZABC_SubscriberWeb>
+ <HZABC_ManagementWeb>
<add key="ServerName" value="localhost" />
<add key="PhysicalDir" value="managementweb" />
<add key="VirtualDir" value="managementweb" />
<add key="AppPool" value="managementweb" />
<add key="ServiceUrl" value="http://localhost/managementweb/default.aspx" />
</HZABC_ManagementWeb>
- <!-- Service Web Configuration end
-->
- <!-- Message Agent configuration begin
-->
- <!-- Message Agent configuration end
-->
- <!-- Common : RSA key for the sign and validated
-->
- <HZABC_COMMON_RSAKEY>
<add key="Modules" value="vx+BXZD6yVIetCmFXG7P4SUyKyPYJWPQl+CDQamFIRfRePG+VS4Alg8REjkOY36xtsOrK0OoeU1I0HaVxy2svOAE7AUpEWJ/IqsThCatFKlqY18p9AdDJFnR0RJhymI1RlE6TEb0rzJcUjH6tK112XNg/QRVMq4LFW9IvaNfFg0=" />
<add key="Exponent" value="AQAB" />
<add key="P" value="+krz2hkW6gHMGwrf9cWsogR8Nd1vSezvOjjyBMfNRb4Wg+x1zXpGT+FLT9P6lJv0sg0JpAgO6mNsalcrMpG8zw==" />
<add key="Q" value="w3sogniaruU8xgbYYo56MiRmxeEOGlQRvxIGwzfY6Cgi7GY5XHnkQbJnoXYAunH5yDC+h96qinHilJOvscROYw==" />
<add key="DP" value="7fjrpzbpoW46CJArZjsfKyBGlNRH5qq+vcW83iy2EBRuxdnCG66hQXu8plauzjMF0XAx9WKwA8yqHOVqLfeA4w==" />
<add key="DQ" value="AljxRJfUK7N/BlXAtXZGi2GahlfMho5p5CSARkneZfNNcA9OMwkXr55H1k2HdrW1rSzArPsEi0MQ2H3phzX3Rw==" />
<add key="InverseQ" value="uEuvDm4w7vxcAN+iIxyWGX2bKuXxhmDF0Hv44YmZtDMl27L3cMzRPtPqqn6YKNJPZufEdiUv9Cpq5a+ZJRRRQA==" />
<add key="D" value="jU92DwBK7N9S5FJu0FD+UrF1zn/KKJsMd78ATWRRko5RyuKyn7hLpqetL5QQF3BtZXx26p4zyrxhwgBr7cDPne1ME63Lfn9HfonlmhMPnYm3zH21zxnnUtDj4rfcqHgkmpkPpxLydx2KOHVUNTqgCxP5+/CqfebW48nhIO2ueeE=" />
</HZABC_COMMON_RSAKEY>
- <!-- Common : Cache related configuration
-->
- <HZABC_COMMON_CACHE>
- <!-- Cache自动更新的时间间隔(单位:分钟),缺省为20分钟
-->
<add key="RefleshTimer" value="20" />
- <!-- 1表示使用UMSCache,0表示不使用
-->
<add key="UMSCache" value="0" />
- <!-- 1表示使用CMSCache,不能与UMSCache同时为1,0表示不使用
-->
<add key="CMSCache" value="1" />
</HZABC_COMMON_CACHE>
- <!-- Common : Log related configuration
-->
- <HZABC_COMMON_LOG>
- <!-- Log 的存放地址. 注意: ASP.NET machine account 需要有此目录的写权限
-->
<add key="Path" value="c:\HZabcLog" />
- <!-- 被记录的Log级别: Error|Warning|Information|Exception
-->
<add key="Level" value="Error|Warning|Information|Exception" />
- <!-- 被记录的Log形式, FileLogService(Log存入文件里) 或 EventLogService(Log存入系统提供的EventLog里). 注意: 现在只支持FileLogService
-->
<add key="Provider" value="FileLogService" />
- <!-- 多长时间File Log 从内存Flush 到文件里。 缺省为60分钟
-->
<add key="FlushTimer" value="60" />
</HZABC_COMMON_LOG>
</configuration>

修复方案:

删除吧

版权声明:转载请注明来源 北洋贱队@乌云

漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2011-05-30 12:00

厂商回复:

09年就没用了,一直没撤掉。准备下线。

漏洞Rank:8 (WooYun评价)

最新状态:

暂无