当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-071630

漏洞标题:163某站点Apache配置信息泄漏

相关厂商:网易

漏洞作者: lijiejie

提交时间:2014-08-09 16:31

修复时间:2014-09-23 16:32

公开时间:2014-09-23 16:32

漏洞类型:重要敏感信息泄露

危害等级:低

自评Rank:1

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-08-09: 细节已通知厂商并且等待厂商处理中
2014-08-11: 厂商已经确认,细节仅向厂商公开
2014-08-21: 细节向核心白帽子及相关领域专家公开
2014-08-31: 细节向普通白帽子公开
2014-09-10: 细节向实习白帽子公开
2014-09-23: 细节向公众公开

简要描述:

163某站点Apache配置信息泄漏

详细说明:

http://fankui.163.com/server-info?config
http://fankui.163.com/server-info

漏洞证明:

In file: /etc/apache2/mods-available/rpaf.load
RPAFproxy_ips 10.100.80.36 10.100.80.37 10.100.80.38 10.100.80.39 10.100.80.40 10.100.80.42 10.100.80.43 10.100.80.44 10.100.80.45 10.100.80.46 10.100.80.73 10.100.80.75 10.100.80.76 10.100.80.77 10.100.80.78 10.100.80.92 10.100.80.223 10.100.80.230 10.100.80.235 10.100.80.236 10.100.80.237 10.100.80.238 10.100.80.240 10.100.80.247 10.100.80.248 172.19.0.56 172.19.0.74 172.19.0.81 172.19.0.83 172.19.0.114 172.19.0.115 172.19.0.116 172.19.0.117 172.19.0.118 172.19.0.119 172.19.0.133 172.19.0.134 172.19.0.135 172.19.0.214 172.19.0.215 172.19.0.216 172.19.0.217 172.19.0.227 172.19.1.130 172.19.1.206 172.19.1.207 172.19.2.199 172.19.1.200 172.19.1.201 172.19.2.46 172.19.2.47 172.19.2.48 10.100.80.13 10.100.80.14 10.100.80.15
In file: /etc/apache2/sites-enabled/010-fankui
12: <VirtualHost *>
13: ServerName fankui.163.com
14: ServerAdmin sysadmin@hz.netease.com
15: DocumentRoot /home/dir/feedback/WebRoot
17: AddDefaultCharset GBK
19: <Directory />
20: Options FollowSymLinks
21: AllowOverride None
22: Order deny,allow
23: Deny from all
: </Directory>
26: <Directory /home/dir/feedback/WebRoot/>
27: Options FollowSymLinks
28: AllowOverride None
29: Order allow,deny
30: Allow from all
: </Directory>
33: ErrorLog /var/log/apache2/error.log
34: LogLevel warn
36: HostnameLookups Off
38: ServerSignature Off
40: <Location "/WEB-INF">
41: Order deny,allow
42: Deny from all
: </Location>
45: <Location "/META-INF">
46: Order deny,allow
47: Deny from all
: </Location>
51: JkMount /* fankui
52: JkUnMount /js/* fankui
53: JkUnmount /css/* fankui
54: JkUnmount /images/* fankui
58: ExpiresByType image/gif A604800
59: ExpiresByType image/jpeg A604800
60: ExpiresByType image/png A604800
61: ExpiresByType application/x-javascript A604800
62: ExpiresByType text/css A604800
66: RewriteEngine On
: </VirtualHost>

修复方案:

版权声明:转载请注明来源 lijiejie@乌云


漏洞回应

厂商回应:

危害等级:低

漏洞Rank:3

确认时间:2014-08-11 17:31

厂商回复:

感谢您对网易的关注,漏洞已经修复。

最新状态:

暂无


漏洞评价:

评论