当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2013-027448

漏洞标题:新浪的一些小的信息泄漏

相关厂商:新浪

漏洞作者: D&G

提交时间:2013-07-02 14:28

修复时间:2013-08-16 14:29

公开时间:2013-08-16 14:29

漏洞类型:敏感信息泄露

危害等级:低

自评Rank:1

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2013-07-02: 细节已通知厂商并且等待厂商处理中
2013-07-02: 厂商已经确认,细节仅向厂商公开
2013-07-12: 细节向核心白帽子及相关领域专家公开
2013-07-22: 细节向普通白帽子公开
2013-08-01: 细节向实习白帽子公开
2013-08-16: 细节向公众公开

简要描述:

小问题,有数据库密码,内网连不了。

详细说明:

http://survey.news.sina.com.cn/test.php
http://roll.2008.sina.com.cn/test.php
https://netlogin.sina.com.cn/
http://202.106.182.172/admin/blog/login.php 登录报错,

漏洞证明:

http://survey.news.sina.com.cn/test.php

Array
(
[surveynewsgroup] => 1
[SCRIPT_URL] => /test.php
[SCRIPT_URI] => http://survey.news.sina.com.cn/test.php
[SINASRV_GLOBAL_MEMCACHED_SERVERS] => 10.55.28.21:7691 10.55.28.22:7691 10.55.28.23:7691
[SINASRV_MEMCACHED_SERVERS] => 10.55.28.21:7691 10.55.28.22:7691 10.55.28.23:7691
[SINASRV_MEMCACHED_HOST] => 127.0.0.1
[SINASRV_MEMCACHED_PORT] => 7600
[SINASRV_DATA_DIST_SERVER] => wvfs2.mars.grid.sina.com.cn
[SINASRV_DATA_DIST_PORT] => 8080
[SINASRV_ZONE_IDC] => XD
[SINASRV_ZONE_ISP] => CNC
[SINASRV_ZONE_ID] => 010201
[SINASRV_ROLE] => Web2
[SINASRV_OUTIP] => 10.54.22.53
[SINASRV_INTIP] => 10.55.22.53
[SINASRV_TTF_PATH] => /usr/local/sinasrv2/lib/X11/fonts/TTF
[SINASRV_WVFS_SERVERS] => wvfs2.mars.grid.sina.com.cn:8090 wvfs2.orion.grid.sina.com.cn:8090
[SINASRV_RVFS_SERVERS] => rvfs2.mars.grid.sina.com.cn:80 rvfs2.orion.grid.sina.com.cn:80
[SINASRV_CACHE_DOMAINS] => cache.mars.sina.com.cn cache.orion.sina.com.cn cache.aries.sina.com.cn cache.atlas.sina.com.cn
[SQUID_PURGE_API] => http://10.73.48.209/squidclear/ http://10.44.6.245/squidclear/
[SQUID_PURGE_ID] => dpool
[SQUID_PURGE_PROJECT] => all
[SQUID_PURGE_HOST] => www.sc.sina.com.cn
[SINASRV_SQUID_PURGE_API] => http://10.73.48.209/squidclear/ http://10.44.6.245/squidclear/
[SINASRV_SQUID_PURGE_ID] => dpool
[SINASRV_SQUID_PURGE_PROJECT] => all
[SINASRV_SQUID_PURGE_HOST] => www.sc.sina.com.cn
[SINASRV_DPMAIL_HOST] => 10.44.6.21
[SINASRV_DPMAIL_URL] => http://10.44.6.21/mailservice/api.php
[SINASRV_COUNTER_SERVICE_MASTER] => counteri.mars.grid.sina.com.cn:8000
[SINASRV_COUNTER_SERVICE_SLAVE] => 10.55.22.65:8000
[SINASRV_COUNTER_SERVICE_RESTRICT] => 1
[SINASRV_SIMPLEDB_SERVICE] => 1
[SINASRV_SIMPLEDB_SERVICE_RESTRICT] => 1
[SINASRV_VERSION] => 2
[SERVER_ALIAS] => auto.survey.sina.com.cn news.survey.sina.com.cn finance.survey.sina.com.cn survey.2008.sina.com.cn survey.sports.sina.com.cn survey.ent.sina.com.cn survey.finance.sina.com.cn survey.tech.sina.com.cn survey.auto.sina.com.cn survey.eladies.sina.com.cn survey.baby.sina.com.cn survey.house.sina.com.cn survey.edu.sina.com.cn survey.book.sina.com.cn survey.astro.sina.com.cn survey.chinawriter.com.cn survey.2010.sina.com.cn i.survey.news.sina.com.cn survey.fo.sina.com.cn
[SINASRV_DATA_DIR] => /data1/www/data/survey.news.sina.com.cn/
[SINASRV_CACHE_DIR] => /data1/www/cache/survey.news.sina.com.cn/
[SINASRV_PRIVDATA_DIR] => /data1/www/privdata/survey.news.sina.com.cn/
[SINASRV_APPLOGS_DIR] => /data1/www/applogs/survey.news.sina.com.cn/
[SINASRV_DATA_URL] => http://survey.news.sina.com.cn/data
[SINASRV_CACHE_URL] => http://survey.news.sina.com.cn/cache
[SINASRV_NDATA_CACHE_URL] => http://etch.s.dpool.sina.com.cn/nd/surveynews/
[SINASRV_DB_HOST] => m3310i.mars.grid.sina.com.cn
[SINASRV_DB_HOST_R] => s3310i.mars.grid.sina.com.cn
[SINASRV_DB_PORT] => 3310
[SINASRV_DB_NAME] => news_survey
[SINASRV_DB_USER] => generalsurvey
[SINASRV_DB_PASS] => AD8xckZDkj1ek
[SINASRV_DB_PORT_R] => 3310
[SINASRV_DB_NAME_R] => news_survey
[SINASRV_DB_USER_R] => generalsurvey_r
[SINASRV_DB_PASS_R] => Ck0a8Ldia!kdaj
[SINASRV_DB2_HOST] => m3310i.mars.grid.sina.com.cn
[SINASRV_DB2_HOST_R] => s3310i.mars.grid.sina.com.cn
[SINASRV_DB2_PORT] => 3310
[SINASRV_DB2_NAME] => news_survey_2
[SINASRV_DB2_USER] => generalsurvey
[SINASRV_DB2_PASS] => AD8xckZDkj1ek
[SINASRV_DB2_PORT_R] => 3310
[SINASRV_DB2_NAME_R] => news_survey_2
[SINASRV_DB2_USER_R] => generalsurvey_r
[SINASRV_DB2_PASS_R] => Ck0a8Ldia!kdaj
[SINASRV_DB3_HOST] => m3310i.mars.grid.sina.com.cn
[SINASRV_DB3_HOST_R] => s3310i.mars.grid.sina.com.cn
[SINASRV_DB3_PORT] => 3310
[SINASRV_DB3_NAME] => news_survey_3
[SINASRV_DB3_USER] => generalsurvey
[SINASRV_DB3_PASS] => AD8xckZDkj1ek
[SINASRV_DB3_PORT_R] => 3310
[SINASRV_DB3_NAME_R] => news_survey_3
[SINASRV_DB3_USER_R] => generalsurvey_r
[SINASRV_DB3_PASS_R] => Ck0a8Ldia!kdaj
[SINASRV_MEMCACHED_KEY_PREFIX] => survey_news-
[HTTP_HOST] => survey.news.sina.com.cn

修复方案:

不用的系统都下了吧。

版权声明:转载请注明来源 D&G@乌云


漏洞回应

厂商回应:

危害等级:低

漏洞Rank:2

确认时间:2013-07-02 14:51

厂商回复:

感谢关注新浪安全,已安排人员进行处理。

最新状态:

暂无


漏洞评价:

评论