当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2012-06702

漏洞标题:新浪分站部分源代码泄露,可进一步利用

相关厂商:新浪

漏洞作者: 蟋蟀哥哥

提交时间:2012-05-05 11:42

修复时间:2012-06-19 11:43

公开时间:2012-06-19 11:43

漏洞类型:重要敏感信息泄露

危害等级:中

自评Rank:10

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2012-05-05: 细节已通知厂商并且等待厂商处理中
2012-05-05: 厂商已经确认,细节仅向厂商公开
2012-05-15: 细节向核心白帽子及相关领域专家公开
2012-05-25: 细节向普通白帽子公开
2012-06-04: 细节向实习白帽子公开
2012-06-19: 细节向公众公开

简要描述:

新浪分站部分源代码泄露,可进一步利用

详细说明:

新浪分站部分源代码泄露,可进一步利用.
昨天送的礼物全被抢了,再求礼物.谢谢

漏洞证明:

http://eladies.sina.com.tw/getnews.php~

<?php
//**********************************************************
//
include_once "./include/define.php";
if(!defined("NO_LOGIN_HANDLE_METHOD")){
define("NO_LOGIN_HANDLE_METHOD", NO_LOGIN_CONTINUE);}
include_once DEFAULT_DOC_ROOT."/include/smarty.php";
include_once DEFAULT_DOC_ROOT."/common/initialize.php";
include_once DEFAULT_DOC_ROOT."/util/network.php";
include_once DEFAULT_DOC_ROOT."/util/str_process.php";
include_once DEFAULT_DOC_ROOT."/include/eladies.php";
/*
process ...
*/
$op = Request_Param("op","","request");
$smarty = new Template;
$smarty->assign('WWW_ROOT',DEFAULT_WWW_ROOT);
$smarty->assign('DEFAULT_DOC_ROOT',DEFAULT_DOC_ROOT);
$smarty->assign('WWW_ROOT_IMAGES',WWW_ROOT_IMAGE);
$smarty->assign('WWW_ROOT_CSS',WWW_ROOT_CSS);
$smarty->assign('WWW_ROOT_JS',WWW_ROOT_JS);
$smarty->assign('UPDATE_IMAES',UPDATE_IMAES);
$smarty->assign('INCLUDE_TMPL_ROOT',INCLUDE_TMPL_ROOT);
$smarty->assign('CRON_INDEX_TMPL',CRON_INDEX_TMPL);
$smarty->assign('WWW_EXTRATMPL_ROOT',DEFAULT_WWW_ROOT."/templates/extratmpl");
if( !empty( $MemberInfo ) && isset($MemberInfo["NickName"])){
$smarty->assign('USER_NAME', $MemberInfo["NickName"] );
}
$connect = mysql_connect(ELADIES_WDB_HOST,ELADIES_WDB_USER,ELADIES_WDB_PASS) or die("資料庫連線錯誤,請聯絡管理員");
mysql_select_db(ELADIES_WDB_NAME,$connect);
//
//**********************************************************
include_once "./include/define.php";
if(!defined("NO_LOGIN_HANDLE_METHOD")){
define("NO_LOGIN_HANDLE_METHOD", NO_LOGIN_CONTINUE);
}
include_once DEFAULT_DOC_ROOT."/include/smarty.php";
include_once DEFAULT_DOC_ROOT."/common/initialize.php";
include_once DEFAULT_DOC_ROOT."/util/network.php";
include_once DEFAULT_DOC_ROOT."/include/eladies.php";
include_once DEFAULT_DOC_ROOT."/include/dict.php";
$id = Request_Param("newsid","","request");
if( intval($id) <= 0 ){
header("Location:http://eladies.sina.com.tw");
}
$eladies = new Eladies();
$news = $eladies->getPubNewsById( $id );
if( !$news || empty($news) || $news['content'] == "" || $news['title'] == ""){
header("Location:http://eladies.sina.com.tw");
}else{
if( !$eladies->updateNewsClick( $news['newsid'])){
header("Location:http://eladies.sina.com.tw");
}
}
$keywords = $news['keywords'];
$conn_news = $eladies->getConnNews($id, $keywords , 8 , $news['video_count'] , $news['category']);
$category = $eladies->getCategory( $news['category']);
$tpl_layout_name = "article.shtml";
$onevision_ad_config = 0;
$change_video_type = 0;
$_common_js_clickrecord = 'news';
$news_shcont_ = mb_substr(trim(strip_tags($news['content'])),0,35,"UTF-8")." ... ";
if( intval($news['video_count']) == 1 && $news['source'] == "tw"){ //only process tw
$video = $eladies->getVideoByNewsid( $news['id'] , $news['source'] );
$onevision_ad_config = $eladies->getOptionFunction_Onevision( 'onevision-ad-config' );
$tpl_layout_name = "article_video.shtml"; //video tmpl

if(isset($news['onevision_url']) && $onevision_ad_config['advertising_config'] == 1 ) { //only for onevision
$change_video_type = 1;
}
$_common_js_clickrecord = 'video';

}elseif( intval($news['media_count']) == 1 && $news['layout'] == "11" ){
$newsid = intval( $news['newsid']);
$images = $eladies->getImageByNewsid( $newsid , $news['source']);
$tpl_layout_name = "article_photo.shtml"; //laypout by one images tmpl

}elseif( intval($news['media_count']) > 1 ){
$newsid = intval( $news['newsid']);
$img_album_id = $newsid;
$images = $eladies->getImageByNewsid( $newsid ,$news['source']);
if( !empty($images) && count($images) > 1 && file_exists(DEFAULT_DOC_ROOT."/images/flash/newsPhoto/".$newsid."_list.xml")){
$tpl_layout_name = "article_photo02.shtml"; //imgnum > 1 tmpl
}elseif( count($images) == 1 && $news['layout'] == "11" ){
$tpl_layout_name = "article_photo.shtml";
}else{
$tpl_layout_name = "article.shtml";
}

}
$authorid = intval( $news['author']);
$author = $eladies->getAuthor( $authorid);
$smarty = new Template;
$smarty->assign('news',$news);
$smarty->assign('author',$author);
$smarty->assign('category',$category);
$smarty->assign('share_title_content',$news_shcont_);
$smarty->assign('onevision_ad_config',$onevision_ad_config);
$smarty->assign('change_video_type',$change_video_type);
$smarty->assign('WWW_ROOT',DEFAULT_WWW_ROOT);
$smarty->assign('DEFAULT_DOC_ROOT',DEFAULT_DOC_ROOT);
$smarty->assign('WWW_ROOT_IMAGES',WWW_ROOT_IMAGE);
$smarty->assign('WWW_ROOT_CSS',WWW_ROOT_CSS);
$smarty->assign('WWW_ROOT_JS',WWW_ROOT_JS);
$smarty->assign('UPDATE_IMAES',UPDATE_IMAES);
$smarty->assign('INCLUDE_TMPL_ROOT',INCLUDE_TMPL_ROOT);
$smarty->assign('CRON_INDEX_TMPL',CRON_INDEX_TMPL);
$smarty->assign('WWW_EXTRATMPL_ROOT',DEFAULT_WWW_ROOT."/templates/extratmpl");
$patten = "/<img.*?src\s*=\s*[\"|\']?\s*([^>\"\'\s\[]*)/i";
if( preg_match( $patten , $news['content'])){
$smarty->assign('CONTENT_IMG',"yes");
}else{
$smarty->assign('CONTENT_IMG',"");
}
if( $images && !empty($images) ){
$smarty->assign('first_image',$images['info'][0]['photo_image1']);
if( intval($news['media_count']) == 1 ){
$smarty->assign('first_image',$images['info'][0]['photo_image1']);
}else{ //> 1
$smarty->assign('img_album_id',$img_album_id);
}
}
if( !empty( $MemberInfo ) && isset($MemberInfo["NickName"])){
$smarty->assign('USER_NAME', $MemberInfo["NickName"] );}
$catid = intval($category['id']);
$topidinfo = $eladies->getCategory( $category['topid'] );
if( $catid == "1" || $catid == "2055" ){
$smarty->display("todaynews/$tpl_layout_name");
exit;
}elseif( $topidinfo && isset($topidinfo['id']) && $topidinfo['id'] != "1"){
$topid = intval( $topidinfo['id'] );
if( $topid == "107" ){
$toptmpl = $tmpl_access[100]['subsection'][107]['twname'];
$path = "<a href=\"/fashion/brands/list.shtml\">".$toptmpl."</a>";
$catinfo = $eladies->getCategory( $catid );
$tmpl = $catinfo['cname'];
$path.= " &gt; <a href=\"get_tmpl.php?op=list&tpldir=fashion&secdir=brands&catid=".$catid."\">".$catinfo['cname']."</a>";
$tmplname = "fashion/$tpl_layout_name";
}elseif( $topid == "357"){
$toptmpl = $tmpl_access[101]['subsection'][357]['twname'];
$path = "<a href=\"/beauty/brands/list.shtml\">".$toptmpl."</a>";
$catinfo = $eladies->getCategory( $catid );
$tmpl = $catinfo['cname'];
$path.= " &gt; <a href=\"get_tmpl.php?op=list&tpldir=beauty&secdir=brands&catid=".$catid."\">".$catinfo['cname']."</a>";
$tmplname = "beauty/$tpl_layout_name";
}else{
$toptmpl = $tmpl_access[$topid]['cname'];
$path = "<a href=\"index.php?op=".$tmpl_access[$topid]['cname']."\">".$tmpl_access[$topid]['twname']."</a>";
$tmpl = $tmpl_access[$topid]['subsection'][$catid]['cname'];
$tmplname = $toptmpl."/$tpl_layout_name";
$path.= " &gt; <a href=\"get_tmpl.php?op=list&tpldir=".$tmpl_access[$topid]['cname']."&secdir=".$tmpl_access[$topid]['subsection'][$catid]['cname']."\">".$tmpl_access[$topid]['subsection'][$catid]['twname']."</a>";
}
}else{
$tmpl = $tmpl_access[$catid]['cname'];
$tmplname = $tmpl."/$tpl_layout_name";
$path = "<a href=\"index.php?op=".$tmpl_access[$catid]['cname']."\">".$tmpl_access[$catid]['twcname']."</a>";
}
if( !$tmpl ){
$path = "";
$tmplname = "todaynews/$tpl_layout_name";
}
$smarty->assign("pathname",$path);
//add click record function
//$smarty->assign('_common_js_clickrecord',$_common_js_clickrecord);
//start 1.0 buy.sina.com.tw
$HTTP_USER_AGENT=$_SERVER['HTTP_USER_AGENT'];
if( eregi("BOT",strtoupper($HTTP_USER_AGENT)) ||
eregi("YAHOO",strtoupper($HTTP_USER_AGENT)) ||
eregi("GOOGLE",strtoupper($HTTP_USER_AGENT))){
$b_newsid = intval( $news['id']);
if($b_newsid=="22700" || $b_newsid=="22688" || $b_newsid=="22615"){
$smarty->assign('BUY_REQ_USER_AGENT',"1");
}
}
//end 1.0 buy.sina.com.tw
if( $conn_news && !empty($conn_news )){
foreach( $conn_news as $key => $val ){
$conn_news[$key]['title'] = cut_str(strip_tags($val['title']),15,null);
}
$smarty->assign('conn_news',$conn_news);
}else{
$smarty->assign('conn_news',"");
}
//*************************************************************************************
//
$specialid = intval(trim($_GET['special'])) ? intval(trim($_GET['special'])) : 0;
if($specialid){
$sql = "select title from feature where type = '0' and id = '$specialid'";
$query = mysql_query($sql);
$result = mysql_fetch_row($query);
$title = $result[0];

$smarty->assign('specialID',$specialid);
$smarty->assign('title',$title);

$sql = "select href,image,cshow from feature where type = '1' and ztype = '$specialid'";
$query = mysql_query($sql);
$result = mysql_fetch_row($query);
list($bannerHref,$bannerImage,$bannerCshow) = $result;
$smarty->assign('hasBanner',$bannerCshow);
$smarty->assign('bannerHref',$bannerHref);
$smarty->assign('bannerImage',$bannerImage);

$smarty->assign('special',1);
}
if($specialid){
if(strpos($tmplname,'video')){
$sql = "select content,title from feature where type = '4' and ztype = '$specialid'";
$query = mysql_query($sql);
while($result = mysql_fetch_row($query)){
if($result[0] == $id){
$about .= '<option selected>'.$result[1].'</option>';
}else {
$about .= '<option value="./pre_news.php?id='.$result[0].'&special='.$specialid.'">'.$result[1].'</option>';
}
}
$smarty->assign('about',$about);
}else{
$sql = "select ctype from feature where sort='$id'";
$query = mysql_query($sql);
$result = mysql_fetch_row($query);
$zflID = $result[0];
$sql = "select sort,title from feature where type = '3' and ctype = '$zflID'";
$query = mysql_query($sql);
while($result = mysql_fetch_row($query)){
if($result[0] == $id){
$about .= '<option selected>'.$result[1].'</option>';
}
else {
$about .= '<option value="./pre_news.php?id='.$result[0].'&special='.$specialid.'">'.$result[1].'</option>';
}
}
$smarty->assign('about',$about);
}
$sql = "select sort,title,image from feature where type = '3' and ctype = '$zflID' and sort != '$id' limit 8";
$query = mysql_query($sql);
while($result = mysql_fetch_row($query)){
list($tmp['id'],$tmp['title'],$tmp['image']) = $result;
if(!$tmp['image']){
$tmp['image'] = 'http://eladies.sina.com.tw/images/dummy.gif';
}
$righ[] = $tmp;
unset($tmp);
}
$smarty->assign('righ',$righ);
}
//echo $tmplname;exit;
if($specialid){
$nd_tmpl = explode('/',$tmplname);
$tmplname = 'fashion/'.$nd_tmpl[1];
}
//
//*************************************************************************************
debug_log('tmplname:'.$tmplname .' ==== _common_js_clickrecord is ====' . $_common_js_clickrecord);
$eladies->replaceClickRecord($news['id'],$_common_js_clickrecord=='news'?0:1);
//
$smarty->display($tmplname);
function debug_log($str) {
if($fd = @fopen("/home/archive/logs/debug_result.txt", "a")) {
fputs($fd, $str . "\n\r");
fclose($fd);
}
}
?>

修复方案:

你们比我专业,你们懂的

版权声明:转载请注明来源 蟋蟀哥哥@乌云


漏洞回应

厂商回应:

危害等级:低

漏洞Rank:5

确认时间:2012-05-05 12:39

厂商回复:

感谢提供!

最新状态:

暂无


漏洞评价:

评论

  1. 2012-05-05 19:35 | imlonghao ( 普通白帽子 | Rank:730 漏洞数:74 )

    不知道这个漏洞拿到礼物没