当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0118838

漏洞标题:北京一路热点信息(16WiFi)某配置不当导致源代码泄漏

相关厂商:北京一路热点信息技术有限公司

漏洞作者: 路人甲

提交时间:2015-06-07 17:47

修复时间:2015-07-22 17:48

公开时间:2015-07-22 17:48

漏洞类型:敏感信息泄露

危害等级:高

自评Rank:15

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-06-07: 积极联系厂商并且等待厂商认领中,细节不对外公开
2015-07-22: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

北京一路热点信息技术有限公司
七彩集团旗下移动互联网公司,以公交Wifi新媒体 (即16WiFi平台)为切入点,结合七彩传媒10余年的公交广告传媒优势资源,构建全国范围多元一体化的公共交通领域移动互联网生活平台, 开创户外数字传播新格局

详细说明:

自从有了16WiFi,发现真的好实用!
16Wi-Fi APP代码放到了Github上面,导致整个源代码泄漏

https://github.com/HZJegg/16wifi/blob/master/e-RoadWiFi/e-RoadWiFi-Info.plist


<dict>
	<key>CFBundleDevelopmentRegion</key>
	<string>en</string>
	<key>CFBundleDisplayName</key>
	<string>16WiFi</string>
	<key>CFBundleExecutable</key>
	<string>${EXECUTABLE_NAME}</string>
	<key>CFBundleIdentifier</key>
	<string>com.e-road</string>
	<key>CFBundleInfoDictionaryVersion</key>
	<string>6.0</string>
	<key>CFBundleName</key>
	<string>${PRODUCT_NAME}</string>
	<key>CFBundlePackageType</key>
	<string>APPL</string>
	<key>CFBundleShortVersionString</key>
	<string>2.2.1</string>
	<key>CFBundleSignature</key>
	<string>????</string>
	<key>CFBundleURLTypes</key>
        .............


https://github.com/HZJegg/16wifi/blob/master/e-RoadWiFi/AppDelegate.m


平台开发的API接口

[WXApi registerApp:WXAPP_ID withDescription:@"weixin"];
    
//    [self ShowUpDateInfo];
    //启动友盟统计
    [self umengTrack];
    //设置友盟社会化分享
    [UMSocialData setAppKey:UMENG_APPKEY];
 
    [UMSocialWechatHandler setWXAppId:@"wxec18d96456cf5b87" appSecret:@"e32014b9477266bdda1cd13acba94f66" url:@"http://m.16wifi.com/thirdinfo/share/index.html" ];
    
    [UMSocialQQHandler setQQWithAppId:@"1101094886" appKey:@"nxnpUqv2EzAUYZZR" url:@"http://m.16wifi.com/thirdinfo/share/index.html"];
    [UMSocialSinaHandler openSSOWithRedirectURL:@"http://sns.whalecloud.com/sina2/callback"];


QQ20150607-1@2x.png

漏洞证明:

自从有了16WiFi,发现真的好实用!
16Wi-Fi APP代码放到了Github上面,导致整个源代码泄漏

https://github.com/HZJegg/16wifi/blob/master/e-RoadWiFi/e-RoadWiFi-Info.plist


<dict>
	<key>CFBundleDevelopmentRegion</key>
	<string>en</string>
	<key>CFBundleDisplayName</key>
	<string>16WiFi</string>
	<key>CFBundleExecutable</key>
	<string>${EXECUTABLE_NAME}</string>
	<key>CFBundleIdentifier</key>
	<string>com.e-road</string>
	<key>CFBundleInfoDictionaryVersion</key>
	<string>6.0</string>
	<key>CFBundleName</key>
	<string>${PRODUCT_NAME}</string>
	<key>CFBundlePackageType</key>
	<string>APPL</string>
	<key>CFBundleShortVersionString</key>
	<string>2.2.1</string>
	<key>CFBundleSignature</key>
	<string>????</string>
	<key>CFBundleURLTypes</key>
        .............


https://github.com/HZJegg/16wifi/blob/master/e-RoadWiFi/AppDelegate.m


平台开发的API接口

[WXApi registerApp:WXAPP_ID withDescription:@"weixin"];
    
//    [self ShowUpDateInfo];
    //启动友盟统计
    [self umengTrack];
    //设置友盟社会化分享
    [UMSocialData setAppKey:UMENG_APPKEY];
 
    [UMSocialWechatHandler setWXAppId:@"wxec18d96456cf5b87" appSecret:@"e32014b9477266bdda1cd13acba94f66" url:@"http://m.16wifi.com/thirdinfo/share/index.html" ];
    
    [UMSocialQQHandler setQQWithAppId:@"1101094886" appKey:@"nxnpUqv2EzAUYZZR" url:@"http://m.16wifi.com/thirdinfo/share/index.html"];
    [UMSocialSinaHandler openSSOWithRedirectURL:@"http://sns.whalecloud.com/sina2/callback"];


QQ20150607-1@2x.png

修复方案:

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝

漏洞Rank:15 (WooYun评价)