当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0120026

漏洞标题:php.net多处服务未授权访问

相关厂商:PHP

漏洞作者: 路人甲

提交时间:2015-06-12 16:15

修复时间:2015-06-17 16:16

公开时间:2015-06-17 16:16

漏洞类型:系统/服务运维配置不当

危害等级:高

自评Rank:15

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-06-12: 细节已通知厂商并且等待厂商处理中
2015-06-17: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

php.net

详细说明:

my.php.net                     873 on 111.90.147.14
fr.php.net 873 on 195.221.21.36
th.php.net 873 on 203.121.145.121
th.php.net 11211 on 203.121.145.121
bd.php.net 873 on 116.193.170.18
us.php.net 873 on 208.69.120.58
uk.php.net 873 on 87.124.126.49
be.php.net 873 on 194.50.97.34
au.php.net 873 on 103.11.79.64

漏洞证明:

>>rsync -v 195.221.21.36::apache
receiving file list ... done
drwxr-xr-x 2412 2010/11/28 08:30:04 .
-rw-r--r-- 405 2007/12/30 00:55:17 .htaccess
-rw-r--r-- 233 2004/12/20 04:30:23 .message
-rw-r--r-- 11 2010/11/25 08:19:00 DATE
-rw-r--r-- 767 2009/10/24 00:04:05 HEADER.html
-rw-r--r-- 354 2009/06/13 06:02:10 README.html
-rw-r--r-- 20 2006/12/31 05:57:13 SOURCE
-rw-r--r-- 3638 2007/06/19 23:49:15 favicon.ico
drwxr-xr-x 64 2010/07/10 15:01:54 abdera
drwxr-xr-x 121 2009/06/11 10:02:31 activemq
drwxr-xr-x 646 2010/07/26 23:47:47 ant
drwxr-xr-x 2353 2010/10/18 18:39:49 apr
drwxr-xr-x 72 2010/06/18 10:20:34 archiva
drwxr-xr-x 159 2010/10/15 02:38:22 avro
drwxr-xr-x 23 2010/09/21 03:51:09 axis
drwxr-xr-x 97 2010/01/14 11:37:10 beehive
drwxr-xr-x 183 2010/11/23 03:41:23 buildr
drwxr-xr-x 30 2009/02/18 03:12:43 camel
drwxr-xr-x 299 2010/11/13 07:22:48 cassandra
drwxr-xr-x 2616 2010/09/06 21:56:18 cayenne
drwxr-xr-x 71 2010/02/18 21:49:38 click
drwxr-xr-x 702 2009/01/13 23:03:26 cocoon
drwxr-xr-x 1046 2010/02/25 17:41:06 commons
drwxr-xr-x 72 2010/05/04 19:48:55 continuum
drwxr-xr-x 231 2010/08/17 22:47:05 couchdb
drwxr-xr-x 164 2010/10/11 21:22:55 cxf
drwxr-xr-x 115 2007/06/27 13:42:45 db
drwxr-xr-x 93 2010/03/24 23:15:09 directory
drwxrwxr-x 4269 2015/06/12 07:31:16 dist
drwxr-xr-x 1769 2007/03/15 09:58:39 excalibur
drwxr-xr-x 67409 2010/11/09 17:56:13 felix
drwxr-xr-x 364 2010/11/25 02:07:03 forrest
drwxr-xr-x 288 2010/07/06 23:06:10 geronimo
drwxr-xr-x 139 2010/05/11 06:02:09 hadoop
drwxr-xr-x 50 2007/10/09 16:03:16 harmony
drwxr-xr-x 142 2010/10/07 01:19:33 hbase
drwxr-xr-x 74 2010/10/27 06:58:47 hive
drwxr-xr-x 935 2009/05/28 10:51:47 hivemind
drwxr-xr-x 90 2007/12/17 21:24:35 httpcomponents
drwxr-xr-x 1889 2010/11/16 06:57:12 httpd
drwxr-xr-x 101 2010/07/24 10:05:03 ibatis
drwxr-xr-x 725 2010/11/10 01:40:14 incubator
drwxr-xr-x 995 2010/11/01 04:08:33 jackrabbit
drwxr-xr-x 347 2010/05/13 19:48:37 jakarta
drwxr-xr-x 400 2010/07/14 13:58:48 james
drwxr-xr-x 51 2006/07/18 06:15:53 java-repository
drwxr-xr-x 23 2010/11/09 01:20:28 juddi
drwxr-xr-x 114 2010/11/15 01:38:19 karaf
drwxr-xr-x 177 2010/01/19 23:58:44 lenya
drwxr-xr-x 120 2005/06/27 08:29:37 logging
drwxr-xr-x 196 2009/04/03 19:17:45 lucene
drwxr-xr-x 229 2010/10/31 23:01:13 mahout
drwxr-xr-x 51 2006/08/28 15:15:40 maven-repository
drwxr-xr-x 72 2010/05/06 21:37:57 maven
drwxr-xr-x 188 2010/10/27 04:53:23 mina
drwxr-xr-x 468 2010/10/02 02:31:14 myfaces
drwxr-xr-x 1115 2010/09/25 05:38:09 nutch
drwxr-xr-x 1042 2010/06/29 07:54:05 ode
drwxr-xr-x 106 2010/04/24 16:02:01 ofbiz
drwxr-xr-x 77 2010/11/18 10:54:54 openejb
drwxr-xr-x 140 2010/09/01 00:47:04 openjpa
drwxr-xr-x 133 2010/10/19 04:20:35 openwebbeans
drwxr-xr-x 68 2010/10/25 18:50:15 pdfbox
drwxr-xr-x 610 2009/05/13 10:32:56 perl
drwxr-xr-x 0 2010/10/03 17:05:34 pig
drwxr-xr-x 321 2010/10/22 22:32:20 pivot
drwxr-xr-x 68 2008/04/15 00:04:49 poi
drwxr-xr-x 134 2009/05/28 10:14:42 portals
drwxr-xr-x 117 2010/03/20 04:16:51 qpid
drwxr-xr-x 0 2007/10/26 03:04:56 quetz
drwxr-xr-x 48 2008/12/24 05:45:15 roller
drwxr-xr-x 79 2010/09/15 21:23:59 santuario
drwxr-xr-x 127 2009/11/20 19:56:33 servicemix
drwxr-xr-x 953 2009/05/28 10:51:57 shale
drwxr-xr-x 106 2010/09/13 21:15:06 shindig
drwxr-xr-x 45 2010/11/02 11:25:30 shiro
drwxr-xr-x 36318 2010/11/16 23:23:04 sling
drwxr-xr-x 1892 2010/03/29 05:16:52 spamassassin
drwxr-xr-x 100 2008/05/03 07:34:06 stdcxx
drwxr-xr-x 181 2010/08/19 21:29:19 struts
drwxr-xr-x 0 2010/03/14 06:45:53 subversion
drwxr-xr-x 89 2008/06/09 18:01:23 synapse
drwxr-xr-x 4244 2010/11/19 09:01:53 tapestry
drwxr-xr-x 68 2010/04/29 22:12:49 tcl
drwxr-xr-x 0 2010/10/28 10:50:24 thrift
drwxr-xr-x 241 2010/11/13 12:22:00 tika
drwxr-xr-x 186 2010/06/29 02:29:24 tiles
drwxr-xr-x 113 2010/08/29 23:01:12 tomcat
drwxr-xr-x 571 2010/11/13 02:21:59 trafficserver
drwxr-xr-x 1194 2008/11/19 17:36:34 turbine
drwxr-xr-x 44 2010/06/03 17:57:27 tuscany
drwxr-xr-x 0 2010/04/10 01:08:20 uima
drwxr-xr-x 192 2007/08/13 18:51:47 velocity
drwxr-xr-x 239 2010/11/06 12:41:38 wicket
drwxr-xr-x 542 2008/11/24 11:29:00 ws
drwxr-xr-x 38 2007/08/30 12:06:17 xerces
drwxr-xr-x 332 2007/08/31 23:48:48 xml
drwxr-xr-x 408 2009/12/21 02:07:50 xmlbeans
drwxr-xr-x 69 2007/03/29 15:30:19 xmlgraphics
sent 28 bytes received 1734 bytes 271.08 bytes/sec
total size is 5428 speedup is 3.08
---------------------------------------------------
>>rsync -v 194.50.97.34::
kde KDE mirror
kdeapps KDE Apps mirror
centos CentOS mirror
opencsw Opencsw mirror
mozdev Mozilla Mozdev mirror
tdf The Document Foundation mirror
jenkins Jenkins mirror
mariadb MariaDB mirror
repoforge Repoforge mirror
manjaro Manjaro mirror
archlinux ArchLinux mirror
gentoo Gentoo mirror
gentoo-portage Gentoo portage mirror
raspbian Raspbian mirror
releases Ubuntu releases
ubuntu Ubuntu archives
ius IUS
safernet safer-networking.org
>>rsync -v 194.50.97.34::kde
receiving file list ... done
drwxr-xr-x 19 2013/06/08 13:43:33 .
-rw-r--r-- 1027 2002/10/25 06:50:57 .message
-rw-r--r-- 1027 2002/10/25 06:50:57 README
-rw-r--r-- 821 2013/06/08 13:43:33 README_UPLOAD
-rw-r--r-- 5729888 2015/06/12 06:03:02 ls-lR
-rw-r--r-- 423925 2015/06/12 06:03:03 ls-lR.bz2
lrwxrwxrwx 18 2003/03/27 22:50:02 snapshots
drwxr-xr-x 124 2015/06/10 20:22:55 Attic
drwxr-xr-x 6 2000/10/01 22:07:15 adm
drwxr-xr-x 10 2005/03/07 16:30:00 contrib
drwxr-xr-x 21 2004/01/09 00:23:21 devel
drwxr-xr-x 19 2002/03/17 09:40:23 doc
drwxr-xr-x 5 2000/12/08 03:20:56 events
drwxr-xr-x 4 2004/04/21 20:09:22 packages
drwxr-xr-x 14 2006/04/07 15:55:06 printing
drwxr-xr-x 264 2010/04/13 22:49:17 security_patches
drwxr-xr-x 107 2015/06/10 20:25:01 stable
drwxr-xr-x 92 2015/05/26 06:28:48 unstable
sent 25 bytes received 361 bytes 59.38 bytes/sec
total size is 6156706 speedup is 15950.02


php20150612154923.png

修复方案:

~~~~

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-06-17 16:16

厂商回复:

漏洞Rank:15 (WooYun评价)

最新状态:

暂无


漏洞评价:

评论

  1. 2015-06-12 16:22 | Rtsjx ( 实习白帽子 | Rank:31 漏洞数:4 | ......)

    PHP是世界上最好的语言!!!

  2. 2015-06-12 17:27 | niliu 认证白帽子 ( 核心白帽子 | Rank:1542 漏洞数:206 | 逆流而上)

    PHP是世界上最好的数据库!!!

  3. 2015-06-12 17:28 | L.N. ( 路人 | Rank:29 漏洞数:6 | 不断进步····)

    PHP是世界上最好的职业

  4. 2015-06-12 17:36 | ′雨。 ( 普通白帽子 | Rank:1231 漏洞数:190 | Only Code Never Lie To Me.)

    PHP是世界上最好的操作系统!!!

  5. 2015-06-12 18:03 | 紫霞仙子 ( 普通白帽子 | Rank:2027 漏洞数:279 | 天天向上 !!!)

    PHP是世界上最好的妹妹!!!

  6. 2015-06-16 14:06 | 大物期末不能挂 ( 普通白帽子 | Rank:132 漏洞数:23 | 1.一个学渣,只求每门都不挂2.想把漏洞提...)

    PHP是世界上最好的服务器!!!

  7. 2015-06-16 16:34 | r3nty ( 路人 | Rank:2 漏洞数:3 )

    PHP是世界上最好的平台!!!

  8. 2015-06-17 18:17 | 姗姗来迟 ( 普通白帽子 | Rank:297 漏洞数:72 | coffeesafe的小号)

    PHP是乌云上最不靠谱的厂商