当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0145636

漏洞标题:百度某安全产品部分代码泄露涉及敏感信息

相关厂商:百度

漏洞作者: wolf

提交时间:2015-10-10 09:44

修复时间:2015-11-24 10:02

公开时间:2015-11-24 10:02

漏洞类型:系统/服务运维配置不当

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-10-10: 细节已通知厂商并且等待厂商处理中
2015-10-10: 厂商已经确认,细节仅向厂商公开
2015-10-20: 细节向核心白帽子及相关领域专家公开
2015-10-30: 细节向普通白帽子公开
2015-11-09: 细节向实习白帽子公开
2015-11-24: 细节向公众公开

简要描述:

侧漏源码与一打数据库

详细说明:

http://scan.safe.baidu.com/.svn/entries

1.png

漏洞证明:

3.png


[db]
db_port     = 3306
db_user     = root
db_host     = 127.0.0.1
db_pass     = admin
db_dbname   = nss
db_charset  = utf8
[redis]
redis_host   = 127.0.0.1
redis_port   = 6379
redis_pass   = b8HJ9k56tY1Xza7uTba7612alpw3
[bk]
bk_host      = 127.0.0.1
bk_port      = 11300
[download]
dl_path      = /data/download
sample_rul   = http://dbl-seclab-back14.dbl01:8080/resource/apps/
[sampleredis]
sample_host  = 127.0.0.1
sample_port  = 6380
sample_pass  = bslfng
[virusResultRedis]
virusRet_host  = 127.0.0.1
virusRet_port  = 6379
virusRet_pass  = b8HJ9k56tY1Xza7uTba7612alpw3
REDIS_HOST  = '10.212.106.42'
REDIS_PORT  = 6379
REDIS_PASS  = 'b8HJ9k56tY1Xza7uTba7612alpw3'
DB_HOST = '10.212.106.41'
DB_USER = 'root'
DB_PASSWD = '3db7401e'
DB_NAME = 'nss'
redis.Redis(host='10.40.67.20', password='bslfng', port=6379, db=0)
creator=MySQLdb,
host='10.212.106.41',
user='root',
passwd='3db7401e',
db='nss',
port=8306,
creator  = MySQLdb, 
    host     = '10.212.106.45',
    port     = 3306,
    user     = 'root', 
    passwd   = '3db7401e',
    db       = 'nss',
#Email info
#SMTP_SERVER = 'smtp.mail.yahoo.com:587'
SMTP_SERVER = 'smtp.qq.com'
#SENDER = '[email protected]'
SENDER = '[email protected]'
RECVER = ['[email protected]', '[email protected]', '[email protected]', \
'[email protected]', '[email protected]', '[email protected]', '[email protected]']
#RECVER = ['[email protected]', '[email protected]', '[email protected]']
SUBJECT = "[Monitor]: Baidu Cloud Security Platform monitoring report"
#USR = '[email protected]'
USR = '2759026024'
#PASSWD = 'trustgoer2015'
PASSWD = '=bm125'
[email protected] trustgoer
 'baidu':    {'id': 1, 'key': '905f333d0cce7f58ed452f8a825c2f0cb96a4c71'},
'appchina': {'id': 2, 'key': '3dd697812da9960a1e72429cb017e97c4a535c83'},
'crossmo':  {'id': 3, 'key': '72d67561c2c0dff2d59080796d0d4f698eded10b'},
'4399':     {'id': 4, 'key': '9fc50a8a4741a718a849fe7049c3341dab916ee0'},
'cncert':   {'id': 5, 'key': 'c903889bd890d59e64ac9e9dd116e7170bdcf738'},
'hisense':  {'id': 6, 'key': 'c99c3292c57b7bc3867f62a5126a2ac1a6d5cd81'},
api_keys = {
    '905f333d0cce7f58ed452f8a825c2f0cb96a4c71': 'baidu',
    '3dd697812da9960a1e72429cb017e97c4a535c83': 'appchina',
    '92a1ce5e0032530391edae8c79336c9929f15296': 'lenovomm',
    'f508ac57765b7beaad9141f4c00039467f08a302': 'bpit',
    'b701b3525bcc274d4eae80d181b85f2664096e4f': 'gionee',
    '8fc547cdda7cc69be41169a05b4a8937dd05e175': 'pixiu',
    '3ef39aec47565a783de750b0bebdbfb72cb12ab4': 'vsearch',
    'b701b3525bcc274d4eae80d181b85f2664096e4f': 'gionee',
    'xh5fkulj2dvhtu9apbyzrevb8yf3ixdwcq6joeol': 'bsltest',
    '39aff70c29cb063cc28928326ea0f40fd03d5b9c': 'testin',
    'c347265fc2e41812da52a816ad7f1122ec344f9f': 'musi',
    '296c61378753442c7a9fffb3087eba1bea977076': 'musi_test',
}

修复方案:

版权声明:转载请注明来源 wolf@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2015-10-10 10:00

厂商回复:

感谢提交

最新状态:

暂无