当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0133661

漏洞标题:ChinaCache某站源码\数据库泄露

相关厂商:ChinaCache

漏洞作者: 默默丶

提交时间:2015-08-12 17:24

修复时间:2015-09-26 17:34

公开时间:2015-09-26 17:34

漏洞类型:网络敏感信息泄漏

危害等级:中

自评Rank:10

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-08-12: 细节已通知厂商并且等待厂商处理中
2015-08-12: 厂商已经确认,细节仅向厂商公开
2015-08-22: 细节向核心白帽子及相关领域专家公开
2015-09-01: 细节向普通白帽子公开
2015-09-11: 细节向实习白帽子公开
2015-09-26: 细节向公众公开

简要描述:

数据库泄露算不算敏感信息 备份数据泄露算不算敏感信息呢
商家的这些信息不重要吗?登陆时候提交没过,那就不登录了正好朋友缺个邀请码。

详细说明:

源码下载地址 :http://en.chinacache.com/administrator.tar.gz
后台地址:http://en.chinacache.com/administrator/

漏洞证明:

QQ截图20150812170923.jpg


QQ截图20150812170933.jpg


<?php
class JConfig {
	public $offline = '0';
	public $offline_message = 'This site is down for maintenance.<br /> Please check back again soon.';
	public $display_offline_message = '1';
	public $offline_image = '';
	public $sitename = 'ChinaCache';
	public $editor = 'tinymce';
	public $captcha = '0';
	public $list_limit = '20';
	public $access = '1';
	public $debug = '0';
	public $debug_lang = '0';
	public $dbtype = 'mysqli';
	public $host = 'localhost';
	public $user = 'tzulin_ecache';
	public $password = 'g0tr0jans';
	public $db = 'tzulin_ecache';
	public $dbprefix = 'bax1o_';
	public $live_site = '';
	public $secret = 'Cn9ddMYNPmWRSHJ3';
	public $gzip = '0';
	public $error_reporting = 'default';
	public $helpurl = 'http://help.joomla.org/proxy/index.php?option=com_help&keyref=Help{major}{minor}:{keyref}';
	public $ftp_host = '127.0.0.1';
	public $ftp_port = '21';
	public $ftp_user = '';
	public $ftp_pass = '';
	public $ftp_root = '';
	public $ftp_enable = '1';
	public $offset = 'UTC';
	public $mailer = 'mail';
	public $mailfrom = '[email protected]';
	public $fromname = 'ChinaCache';
	public $sendmail = '/usr/sbin/sendmail';
	public $smtpauth = '0';
	public $smtpuser = '';
	public $smtppass = '';
	public $smtphost = 'localhost';
	public $smtpsecure = 'none';
	public $smtpport = '25';
	public $caching = '0';
	public $cache_handler = 'file';
	public $cachetime = '15';
	public $MetaDesc = 'Use ChinaCache China web delivery services to  serve your site into China. Our China CDN covers over 1,000 gbps network and 400+ nodes across 120 cities.
';
	public $MetaKeys = 'China web delivery, china cdn, china web acceleration, china content delivery network, cdn';
	public $MetaTitle = '1';
	public $MetaAuthor = '1';
	public $MetaVersion = '0';
	public $robots = '';
	public $sef = '1';
	public $sef_rewrite = '0';
	public $sef_suffix = '0';
	public $unicodeslugs = '0';
	public $feed_limit = '10';
	public $log_path = '/home/tzulin/public_html/www.eaglecache.net/logs';
	public $tmp_path = '/home/tzulin/public_html/www.eaglecache.net/tmp';
	public $lifetime = '1440';
	public $session_handler = 'database';
	public $MetaRights = '';
	public $sitename_pagetitles = '0';
	public $force_ssl = '0';
	public $feed_email = 'author';
	public $cookie_domain = '';
	public $cookie_path = '';
}

修复方案:

删除备份

版权声明:转载请注明来源 默默丶@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:14

确认时间:2015-08-12 17:33

厂商回复:

谢谢,我们会尽快处理

最新状态:

暂无