当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2012-07772

漏洞标题:sogou 众多主应用引擎文件读取及敏感信息暴露

相关厂商:搜狗

漏洞作者: shine

提交时间:2012-06-01 13:09

修复时间:2012-07-16 13:10

公开时间:2012-07-16 13:10

漏洞类型:重要敏感信息泄露

危害等级:中

自评Rank:5

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2012-06-01: 细节已通知厂商并且等待厂商处理中
2012-06-04: 厂商已经确认,细节仅向厂商公开
2012-06-14: 细节向核心白帽子及相关领域专家公开
2012-06-24: 细节向普通白帽子公开
2012-07-04: 细节向实习白帽子公开
2012-07-16: 细节向公众公开

简要描述:

如题,果然被猜中,有第一处就会有同样的多处!

详细说明:


众多svn信息暴露(所有应用都清理一下,肯定很多):

http://music.sogou.com/.svn/entries
http://wap.sogou.com/.svn/entries
http://wap.sogou.com/pic/.svn/entries
http://wap.sogou.com/book/.svn/entries
http://wap.sogou.com/music/.svn/entries
http://wap.sogou.com/new/.svn/entries
http://wap.sogou.com/sogou/map/.svn/entries
http://wap.sogou.com/sogou/.svn/entries


漏洞证明:


web.xml文件读取(IE6下读取显示有点问题,在Firefox下正常):
http://mp3.sogou.com/WEB-INF/web.xml


<web-app><servlet><servlet-name>QueryInitServlet</servlet-name><servlet-class>com.sogou.music.query.init.InitServlet</servlet-class><load-on-startup>1</load-on-startup></servlet><servlet><servlet-name>InitAsyncTinyServlet</servlet-name><servlet-class>com.sogou.music.query.init.TinyServlet</servlet-class><load-on-startup>2</load-on-startup></servlet><servlet><servlet-name>LinkListServlet</servlet-name><servlet-class>com.sogou.music.query.servlet.LinkListServlet</servlet-class></servlet><servlet-mapping><servlet-name>LinkListServlet</servlet-name><url-pattern>/api/links</url-pattern></servlet-mapping><servlet><servlet-name>LyricServlet</servlet-name><servlet-class>com.sogou.music.query.servlet.LyricServlet</servlet-class></servlet><servlet-mapping><servlet-name>LyricServlet</servlet-name><url-pattern>/api/lrc</url-pattern></servlet-mapping><servlet><servlet-name>SongListServlet</servlet-name><servlet-class>com.sogou.music.query.servlet.SongListServlet</servlet-class></servlet><servlet-mapping><servlet-name>SongListServlet</servlet-name><url-pattern>/api/songlist</url-pattern></servlet-mapping><servlet><servlet-name>HobbyServlet</servlet-name><servlet-class>com.sogou.music.query.servlet.HobbyServlet</servlet-class></servlet><servlet-mapping><servlet-name>HobbyServlet</servlet-name><url-pattern>/api/hobby</url-pattern></servlet-mapping><!-- copy begin--><servlet><servlet-name>LinkListServlet2</servlet-name><servlet-class>com.sogou.music.query.servlet.LinkListServlet2</servlet-class></servlet><servlet-mapping><servlet-name>LinkListServlet2</servlet-name><url-pattern>/api/links2</url-pattern></servlet-mapping><servlet><servlet-name>LyricServlet2</servlet-name><servlet-class>com.sogou.music.query.servlet.LyricServlet2</servlet-class></servlet><servlet-mapping><servlet-name>LyricServlet2</servlet-name><url-pattern>/api/lrc2</url-pattern></servlet-mapping><servlet><servlet-name>SongListServlet2</servlet-name><servlet-class>com.sogou.music.query.servlet.SongListServlet2</servlet-class></servlet><servlet-mapping><servlet-name>SongListServlet2</servlet-name><url-pattern>/api/songlist2</url-pattern></servlet-mapping><servlet><servlet-name>HobbyServlet2</servlet-name><servlet-class>com.sogou.music.query.servlet.HobbyServlet2</servlet-class></servlet><servlet-mapping><servlet-name>HobbyServlet2</servlet-name><url-pattern>/api/hobby2</url-pattern></servlet-mapping><servlet><servlet-name>QcServlet2</servlet-name><servlet-class>com.sogou.music.query.servlet.QcServlet2</servlet-class></servlet><servlet-mapping><servlet-name>QcServlet2</servlet-name><url-pattern>/api/qc2</url-pattern></servlet-mapping><servlet><servlet-name>PictureServlet</servlet-name><servlet-class>com.sogou.music.query.servlet.PictureServlet</servlet-class></servlet><!-- iapi --><servlet-mapping><servlet-name>PictureServlet</servlet-name><url-pattern>/iapi/pic</url-pattern></servlet-mapping><servlet><servlet-name>LinkListServlet3</servlet-name><servlet-class>com.sogou.music.query.servlet.LinkListServlet3</servlet-class></servlet><servlet-mapping><servlet-name>LinkListServlet3</servlet-name><url-pattern>/iapi/links</url-pattern></servlet-mapping><servlet><servlet-name>SongListServlet3</servlet-name><servlet-class>com.sogou.music.query.servlet.SongListServlet3</servlet-class></servlet><servlet-mapping><servlet-name>SongListServlet3</servlet-name><url-pattern>/iapi/songlist</url-pattern></servlet-mapping><!-- end --><filter><filter-name>AlbumFilter</filter-name><filter-class>com.sogou.music.query.init.filter.AlbumFilter</filter-class></filter><filter-mapping><filter-name>AlbumFilter</filter-name><url-pattern>/music.so</url-pattern></filter-mapping><filter><filter-name>CharsetFilter</filter-name><filter-class>com.sogou.music.query.init.filter.CharsetFilter</filter-class></filter><filter-mapping><filter-name>CharsetFilter</filter-name><url-pattern>/*.so</url-pattern></filter-mapping><filter-mapping><filter-name>CharsetFilter</filter-name><url-pattern>/*.jsp</url-pattern></filter-mapping><filter><filter-name>BrowserFilter</filter-name><filter-class>com.sogou.music.query.init.filter.BrowserFilter</filter-class></filter><filter-mapping><filter-name>BrowserFilter</filter-name><url-pattern>/listen*.so</url-pattern></filter-mapping><filter-mapping><filter-name>BrowserFilter</filter-name><url-pattern>/listen/listenV2*.jsp</url-pattern></filter-mapping><filter><filter-name>ReferFilter2</filter-name><filter-class>com.sogou.music.query.init.filter.ReferFilter2</filter-class><init-param><param-name>refer</param-name><param-value/></init-param></filter><filter-mapping><filter-name>ReferFilter2</filter-name><url-pattern>/iapi/*</url-pattern></filter-mapping><filter><filter-name>ReferFilter</filter-name><filter-class>com.sogou.music.query.init.filter.ReferFilter</filter-class><init-param><param-name>ban</param-name><param-value>true</param-value></init-param></filter><filter-mapping><filter-name>ReferFilter</filter-name><url-pattern>/api/*</url-pattern></filter-mapping></web-app>


http://mbox.sogou.com/WEB-INF/web.xml


<web-app><servlet><servlet-name>InitServer</servlet-name><servlet-class>com.sogou.music.musicbox.servlet.InitServlet</servlet-class><load-on-startup>1</load-on-startup><init-param><param-name>hotTagNum</param-name><param-value>20</param-value></init-param></servlet><servlet-mapping><servlet-name>InitServer</servlet-name><url-pattern>/init</url-pattern></servlet-mapping><servlet><servlet-name>TPLInitServer</servlet-name><servlet-class>com.sogou.miscsearch.music.tpl.InitServlet</servlet-class><load-on-startup>1</load-on-startup><init-param><param-name>tplPath</param-name><param-value>/search/odin/resin/mbox/conf/tpl</param-value></init-param></servlet><servlet><servlet-name>InitAsyncTinyServlet</servlet-name><servlet-class>com.sogou.music.query.util.tiny.TinyServlet</servlet-class><load-on-startup>2</load-on-startup></servlet><!--error-page>
		<error-code>400</error-code>
		<location>/error400.html</location>
	</error-page>
	<error-page>
		<error-code>404</error-code>
		<location>/error404.html</location>
	</error-page>
	<error-page>
		<error-code>500</error-code>
		<location>/error500.html</location>
	</error-page--></web-app>


http://music.sogou.com/WEB-INF/web.xml


<web-app><welcome-file-list>index.html</welcome-file-list><!--error-page>   
        	<error-code>404</error-code>   
	        <location>/admin/error.so?errorcode=404</location>   
	</error-page> 
	<error-page>
                <error-code>500</error-code>
                <location>/admin/error.so?errorcode=500</location>
        </error-page--><servlet><servlet-name>InitServer</servlet-name><servlet-class>com.sogou.music.camp.tpl.servlet.InitServlet</servlet-class><load-on-startup>1</load-on-startup><init-param><param-name>tplPath</param-name><param-value>/search/odin/resin/musicphb/tag/WEB-INF/classes/tpl/web/dynamic</param-value></init-param></servlet><servlet><servlet-name>SSIServlet</servlet-name><servlet-class>com.caucho.servlets.ssi.SSIServlet</servlet-class></servlet><servlet-mapping><servlet-name>SSIServlet</servlet-name><url-pattern>*.html</url-pattern></servlet-mapping></web-app>


修复方案:

多关注安全!

版权声明:转载请注明来源 shine@乌云

漏洞回应

厂商回应:

危害等级:低

漏洞Rank:5

确认时间:2012-06-04 14:23

厂商回复:

感谢, 正在安排处理

最新状态:

暂无

漏洞评价:

评论