当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0111870

漏洞标题:寺库中国某服务器存在Heartbleed漏洞

相关厂商:寺库中国

漏洞作者: 路人甲

提交时间:2015-05-04 09:53

修复时间:2015-05-09 09:54

公开时间:2015-05-09 09:54

漏洞类型:系统/服务运维配置不当

危害等级:中

自评Rank:5

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-05-04: 细节已通知厂商并且等待厂商处理中
2015-05-09: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

寺库中国某服务器存在Heartbleed漏洞

详细说明:

http://m.secoo.com/
http://iphone.secoo.com/


1.png

2.png

漏洞证明:

[*] 124.251.59.104:443 - Sending Heartbeat...
[*] 124.251.59.104:443 - Heartbeat response, 18975 bytes
[+] 124.251.59.104:443 - Heartbeat response with leak
[*] 124.251.59.104:443 - Printable info leaked: UD_[<+~*lF:}}f"!98532ED/A3t7.36Accept-Encoding: gzip,deflate,sdchAccept-Language: zh-CN,zh;q=0.8Cookie: Hm_lvt_b844e792cd7084d8aae7a1d885ef5c29=1429264517; _ga=GA1.2.512656534.1429264519; WT_FPC=id=216ca49f1068e55045a1429264520240:lv=1429264520240:ss=1429264520240:lsv=1429264520240:vs=1:spv=1; token=B1CEB7B3-D6CA-4ED5-BAF1-6A8897796D36; Hm_lvt_0b244704c105fcdb4c38b56ba154d77b=1429510956,1429599526; Hm_lpvt_0b244704c105fcdb4c38b56ba154d77b=1429599526rgTs4d77b=1429525672Pmo$s=k8k2p22[Q[=[``` @ w2}2c[2@P22a[Q[a[Q[X:#ERCP]Q/e@/picservicexHp9>p9pd%p9]#9s9P99H9999p'%%:%)%O%=%p9]#proxy_redirectoffproxy_passhttp://picserviceproxy_set_headerHost$hostr9 @<q9q9r9r9proxy_set_headerx-Forwarded-For$http_x_forwarded_forindexindex.shtmlindex.htmlindex.htmindex.jspXs9 @<r9r9r9r9r9r9location~/static<$#t9@u9w9w9x9x9Hx9Xx9x9x90y9Py9(|9H~9p9X999h999@9X9s99t9E+04+b&H4```0u0u 6d+<<@9#h9x9>@HD5''' @+@J0t[1(111P9Q[s9!9!9!9(9N[@=[``` @ `_2d2[Q[``` @ k2p22[Q[=[``` @ w2}2c[```2@P22a[Q[a[Q[X:#ERCPUQ/c@/staticxh9@>9s9proxy_redirectoffproxy_passhttp://staticproxy_set_headerHost$hostx9 @<B9H999[Q[proxy_set_headerx-Forwarded-For$http_x_forwarded_forindexindex.shtmlindex.htmlindex.htmindex.jsp9 @<99F999F9R9]9location/<$#x9989`9x99999@9999999P9x99 9P999Z9x9!904+b&H4```0u0u 6d+<<@9# 9x9>@''' @+@J0t[O0`M0M0Q0L0Q[@=[``` @ `_2d2[Q[``` @ k2p22[Q[=[``` @ w2}2c[```2@P22a[Q[a[Q[X:#root/data/nginx_web_content/html/ipadNindexindex.htmlindex.htmH9 @<99location ~.*\.(html|htm)$<$#99999999H99999999(9P999 9(9@9999!904+b&H4```0u0u 6d+<<@@9+x9>@''' @+@J0t[O0`M0M0Q0L0Q[@=[``` @ `_2d2[Q[``` @ k2p22[Q[=[2@P22X:#9>rootexpires0access_log@@@99%``` @ w2}2c[```a[Q[a[Q[ERCPeAh@!U.htmlwhtmxx!P99/data/nginx_web_content/html/ipadonh9(@<H<<<</usr/local/nginx/onaccess_log/data/nginxlog/ipad.secoo.*.loglocation~.*\.(gif|jpg|jpeg|png|css|js|manifest)$<$#H99909H9X99999p99h9999 9H999 999'9X9H9!904+b&H4```0u0u 6d+<<@+x9>

修复方案:

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-05-09 09:54

厂商回复:

漏洞Rank:2 (WooYun评价)

最新状态:

暂无