当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2012-07090

漏洞标题:淘宝网服务配置错误导致信息泄漏

相关厂商:阿里巴巴

漏洞作者: 兔小优

提交时间:2012-05-14 11:09

修复时间:2012-05-19 11:10

公开时间:2012-05-19 11:10

漏洞类型:系统/服务运维配置不当

危害等级:低

自评Rank:1

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2012-05-14: 细节已通知厂商并且等待厂商处理中
2012-05-19: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

暴露配置信息

详细说明:

http://loginlogs.wangwang.taobao.com:8080/up

漏洞证明:


CONTENT_LENGTH ''
CONTENT_TYPE ''
DOCUMENT_ROOT '/home/admin/cai/data/html'
HTTP_ACCEPT '*/*'
HTTP_ACCEPT_ENCODING 'gzip, deflate'
HTTP_ACCEPT_LANGUAGE 'zh-cn'
HTTP_CONNECTION 'Keep-Alive'
HTTP_COOKIE 'cna=d60bCAUjihwCAecdAHn08GNB; t=e97a424c2774b9b8d29c635121f0f8de; tg=0; _cc_=UtASsssmfA%3D%3D; tracknick=%5Cu8F7B%5Cu7476; lzstat_uv=35655715953752513878|2705244@2341454@1791451@1544272@2765337@2581762@1239326@2769016@2798379@2043323; ck1=; x=e%3D1%26p%3D*%26s%3D0%26c%3D1%26f%3D0%26g%3D0%26t%3D0; l=vip10106::1336962821171::01; __utma=6906807.643055897.1334198591.1334198591.1334198591.1; __utmz=6906807.1334198591.1.1.utmcsr=mai.taobao.com|utmccn=(referral)|utmcmd=referral|utmcct=/welcome.htm; miid=8699362263077233154; mt=cp=0&ci=41_1; uc1=lltime=1336962382&cookie14=UoLfdmYg7GmHTw%3D%3D&existShop=false&cookie16=U%2BGCWk%2F74Mx5tgzv3dWpnhjPaQ%3D%3D&sg=%E7%91%B653&cookie21=U%2BGCWk%2F7og%3D%3D&tag=0&cookie15=UIHiLt3xD8xYTw%3D%3D; lastgetwwmsg=MTMzNjk2MjU2MQ%3D%3D; unb=773236875; _nk_=%5Cu8F7B%5Cu7476; v=0; _l_g_=Ug%3D%3D; cookie1=VFWHeprgR7Bt77SRPmoJvf5yctXMQG9cAXVc3TwWgDI%3D; cookie2=247f804a03f01afc1572dab4b2a4e324; cookie17=VAYrGUXvV3HA'
HTTP_HOST 'loginlogs.wangwang.taobao.com:8080'
HTTP_USER_AGENT 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; QQDownload 708; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C)'
PATH_INFO '/up'
QUERY_STRING ''
REMOTE_ADDR '121.0.29.231'
REMOTE_PORT '40749'
REQUEST_METHOD 'GET'
REQUEST_URI '/up'
SERVER_NAME 'loginlogs.wangwang.taobao.com'
SERVER_PORT '8080'
SERVER_PROTOCOL 'HTTP/1.1'
uwsgi.version '0.9.8.1'
wsgi.errors <open file 'wsgi_input', mode 'w' at 0x7bcf198>
wsgi.file_wrapper <built-in function uwsgi_sendfile>
wsgi.input <uwsgi._Input object at 0x3e0b8730>
wsgi.multiprocess True
wsgi.multithread False
wsgi.run_once False
wsgi.url_scheme 'http'
wsgi.version (1, 0)

修复方案:

版权声明:转载请注明来源 兔小优@乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2012-05-19 11:10

厂商回复:

最新状态:

2012-05-19:谢谢兔小优的信息~

2012-05-19:厂商发错了,所以淘宝的同学没有来得及确认,见谅~


漏洞评价:

评论

  1. 2012-05-19 11:29 | xsser 认证白帽子 ( 普通白帽子 | Rank:254 漏洞数:18 | 当我又回首一切,这个世界会好吗?)

    淘宝,你他妈的修复了确认下会死?

  2. 2012-05-19 11:55 | 灵惜 ( 路人 | Rank:14 漏洞数:2 | 哇咔咔,搞定它)

    @xsser 我们都火大~ 不过你也要温柔点呀

  3. 2012-05-28 11:34 | 兔小优 ( 路人 | Rank:0 漏洞数:1 | 我是一只小白兔,咿呀咿呀哟~ o(∩_∩)o)

    @xsser 淡定哦。