当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-071630

漏洞标题:163某站点Apache配置信息泄漏

相关厂商:网易

漏洞作者: lijiejie

提交时间:2014-08-09 16:31

修复时间:2014-09-23 16:32

公开时间:2014-09-23 16:32

漏洞类型:重要敏感信息泄露

危害等级:低

自评Rank:1

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-08-09: 细节已通知厂商并且等待厂商处理中
2014-08-11: 厂商已经确认,细节仅向厂商公开
2014-08-21: 细节向核心白帽子及相关领域专家公开
2014-08-31: 细节向普通白帽子公开
2014-09-10: 细节向实习白帽子公开
2014-09-23: 细节向公众公开

简要描述:

163某站点Apache配置信息泄漏

详细说明:

http://fankui.163.com/server-info?config
http://fankui.163.com/server-info

漏洞证明:

In file: /etc/apache2/mods-available/rpaf.load
RPAFproxy_ips 10.100.80.36 10.100.80.37 10.100.80.38 10.100.80.39 10.100.80.40 10.100.80.42 10.100.80.43 10.100.80.44 10.100.80.45 10.100.80.46 10.100.80.73 10.100.80.75 10.100.80.76 10.100.80.77 10.100.80.78 10.100.80.92 10.100.80.223 10.100.80.230 10.100.80.235 10.100.80.236 10.100.80.237 10.100.80.238 10.100.80.240 10.100.80.247 10.100.80.248 172.19.0.56 172.19.0.74 172.19.0.81 172.19.0.83 172.19.0.114 172.19.0.115 172.19.0.116 172.19.0.117 172.19.0.118 172.19.0.119 172.19.0.133 172.19.0.134 172.19.0.135 172.19.0.214 172.19.0.215 172.19.0.216 172.19.0.217 172.19.0.227 172.19.1.130 172.19.1.206 172.19.1.207 172.19.2.199 172.19.1.200 172.19.1.201 172.19.2.46 172.19.2.47 172.19.2.48 10.100.80.13 10.100.80.14 10.100.80.15
In file: /etc/apache2/sites-enabled/010-fankui
  12: <VirtualHost *>
  13:   ServerName fankui.163.com
  14:   ServerAdmin [email protected]
  15:   DocumentRoot /home/dir/feedback/WebRoot
  17:   AddDefaultCharset GBK
  19:   <Directory />
  20:     Options FollowSymLinks
  21:     AllowOverride None
  22:     Order deny,allow
  23:     Deny from all
    :   </Directory>
  26:   <Directory /home/dir/feedback/WebRoot/>
  27:     Options FollowSymLinks
  28:     AllowOverride None
  29:     Order allow,deny
  30:     Allow from all
    :   </Directory>
  33:   ErrorLog /var/log/apache2/error.log
  34:   LogLevel warn
  36:   HostnameLookups Off
  38:   ServerSignature Off
  40:   <Location "/WEB-INF">
  41:     Order deny,allow
  42:     Deny from all
    :   </Location>
  45:   <Location "/META-INF">
  46:     Order deny,allow
  47:     Deny from all
    :   </Location>
  51:   JkMount /* fankui
  52:   JkUnMount /js/* fankui
  53:   JkUnmount /css/* fankui
  54:   JkUnmount /images/* fankui
  58:   ExpiresByType image/gif A604800
  59:   ExpiresByType image/jpeg A604800
  60:   ExpiresByType image/png A604800
  61:   ExpiresByType application/x-javascript A604800
  62:   ExpiresByType text/css A604800
  66:   RewriteEngine On
    : </VirtualHost>

修复方案:

版权声明:转载请注明来源 lijiejie@乌云

漏洞回应

厂商回应:

危害等级:低

漏洞Rank:3

确认时间:2014-08-11 17:31

厂商回复:

感谢您对网易的关注,漏洞已经修复。

最新状态:

暂无