乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-11-20: 细节已通知厂商并且等待厂商处理中 2015-11-25: 厂商已经主动忽略漏洞,细节向公众公开
江中集团敏感文件下载可泄露主站数据库账号密码
http://www.jzjt.com/application/configs/application.ini 配置文件直接访问下载,文件中包含数据库的username 和 password
[production]phpSettings.display_startup_errors = 1phpSettings.display_errors = 1includePaths.library = APPLICATION_PATH "/../library"bootstrap.path = APPLICATION_PATH "/Bootstrap.php"bootstrap.class = "Bootstrap"appnamespace = "Application"resources.FrontController.moduleDirectory = APPLICATION_PATH "/modules"resources.FrontController.moduleControllerDirectoryName = "controllers"resources.FrontController.defaultModule = "default"resources.FrontController.params.displayExceptions = 1resources.layout.layout = "default"resources.layout.layoutPath = APPLICATION_PATH "/views/layout"resources.view.encoding = "UTF-8"resources.multidb.db.adapter=PDO_MYSQLresources.multidb.db.host ="127.0.0.1"resources.multidb.db.username ="root"resources.multidb.db.password ="jzjtxxzx445522"resources.multidb.db.dbname ="db_jzshop";resources.multidb.db.prefix =""resources.multidb.db.isDefaultTableAdapter = TRUEresources.multidb.db.driver_options.1002 = "SET NAMES UTF8;"resources.multidb.admindb.adapter=PDO_MYSQLresources.multidb.admindb.host ="127.0.0.1"resources.multidb.admindb.username ="root"resources.multidb.admindb.password ="jzjtxxzx445522"resources.multidb.admindb.dbname ="db_jzshop";resources.multidb.admindb.prefix =""resources.multidb.admindb.driver_options.1002 = "SET NAMES UTF8;"resources.session.save_path = APPLICATION_PATH "/sessions"resources.session.use_only_cookies = trueresources.session.remember_me_seconds = 864000configs.cache.frontend.name = "Core"configs.cache.backend.name = "Memcached"configs.cache.backend.options.compression = 1configs.cache.frontend.options.write_control=1configs.cache.frontend.options.caching=1configs.cache.frontend.options.automatic_serialization=1configs.cache.frontend.options.automatic_cleaning_factor=0configs.cache.frontend.options.lifetime=0;访问授权configs.needlogin.default.index.test3 = 1configs.needlogin.admin.ALL = 1configs.auth.secretkey = "2bM&sz^u1Z1S3a"configs.auth.cookieDomain = ".shenlingcao.com"[testing : production]phpSettings.display_startup_errors = 1phpSettings.display_errors = 1[development : production]phpSettings.display_startup_errors = 1phpSettings.display_errors = 1resources.frontController.params.displayExceptions = 1configs.cache.backend.name = "File"configs.cache.backend.options.compression = 1configs.cache.backend.options.cache_dir = APPLICATION_PATH "/../public/caches"configs.cache.backend.options.read_control_type = "adler32"configs.cache.frontend.options.lifetime=31536000configs.upload.root_path = APPLICATION_PATH "/../public/uploads"configs.upload.file_field = "file"configs.upload.article.upload_path = "/cms"configs.upload.article.thumbs = "100x100,600x600"configs.upload.product_cover.upload_path = "/shop/cover"configs.upload.product_cover.thumbs = "200x200,600x600"configs.upload.product_image.upload_path = "/shop/items"configs.upload.product_image.thumbs = "100x100,700x700"configs.member.user_group.0.group_id = 0configs.member.user_group.0.group_name = "普通会员"configs.member.user_group.0.min_credit = 0configs.member.user_group.0.discount = 1configs.member.user_group.1.group_id = 1configs.member.user_group.1.group_name = "vip会员"configs.member.user_group.1.min_credit = 1configs.member.user_group.1.discount = 1configs.member.user_group.2.group_id = 2configs.member.user_group.2.group_name = "白银会员"configs.member.user_group.2.min_credit = 5000configs.member.user_group.2.discount = 0.95configs.member.user_group.3.group_id = 3configs.member.user_group.3.group_name = "白金会员"configs.member.user_group.3.min_credit = 20000configs.member.user_group.3.discount = 0.9
隐藏配置文件,限制浏览,另外,你们主站开放的端口真多,我第一次见基本上全端口开放的网站 = = !
危害等级:无影响厂商忽略
忽略时间:2015-11-25 18:28
漏洞Rank:4 (WooYun评价)
暂无
