当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-090165

漏洞标题:奇艺某服务未授权访问导致900多名员工邮箱泄露

相关厂商:奇艺

漏洞作者: boooooom

提交时间:2015-01-06 09:43

修复时间:2015-02-20 09:44

公开时间:2015-02-20 09:44

漏洞类型:敏感信息泄露

危害等级:中

自评Rank:8

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-01-06: 细节已通知厂商并且等待厂商处理中
2015-01-06: 厂商已经确认,细节仅向厂商公开
2015-01-16: 细节向核心白帽子及相关领域专家公开
2015-01-26: 细节向普通白帽子公开
2015-02-05: 细节向实习白帽子公开
2015-02-20: 细节向公众公开

简要描述:

RT

详细说明:

这是一个云会议室预定系统,里面用js实现了自动联想员工,导致900多员工邮箱泄露,拿来钓鱼,或者爆破挺好的

http://101.227.20.221/index.html


http://101.227.20.221/js/meeting.js




mask 区域


*****uot;, "aixin", &quo*****
*****applezhang", "ari*****
*****t;, "baodongxu", &quo*****
*****aichaosong", "cai*****
*****quot;, "caowenlong", *****
*****t;, "changqingquan&q*****
*****t;chenbiyun", "Che*****
*****;chenfeifei", "ch*****
*****hengqiming", "chen*****
*****enjiaming", "chenji*****
*****henjiebin", "chenj*****
*****uot;chenli", "che*****
*****;chenqing", "chenr*****
*****chenxinrun", "che*****
*****quot;chenyawen", &quot*****
*****;chenyonghuan", "c*****
*****t;chuhao", "chuli*****
*****quot;, "cuixiuyun&q*****
*****;daifei", "daijin*****
*****davidwang", "david*****
*****denglizhi", "dengw*****
*****dingtian", "dingzh*****
*****dongwei", "dongxua*****
*****uanyinan", "duanyo*****
*****uot;, "eleanwang", &q*****
*****fangtianshu", "fa*****
*****;fanjiabin", "fa*****
*****nzhanghai_sx", "fan*****
*****;fenghongyuan", "fe*****
*****fengzhichao", "fis*****
*****ot;, "fuyongtao", &qu*****
*****ot;, "gaojingwei", &*****
*****ot;, "gaoxuan", &quo*****
*****uot;gengyuemei", &quot*****
*****nghaitao", "gongl*****
*****;guobaolong", "gu*****
*****uot;guowei", "gu*****
*****uoyilou", "guoyi*****
*****"guozinan", "*****
*****, "hanshiqi", "h*****
*****"haoweigang", &qu*****
*****quot;, "heliang", &q*****
*****g", "hongyu", &q*****
*****;, "huangronghui&q*****
*****quot;, "huangzhen&q*****
*****quot;hukai", "hu*****
*****g", "ivanzhang",*****
*****jiangke", "jiangpe*****
*****angyang", "jiangzhu*****
*****quot;, "jinjihua", &q*****
*****", "jiruizhe", &*****
*****ngyichen", "karry*****
*****uangxiaoxing", "ku*****
*****chentao", "leifen*****
*****ianghong", "liangji*****
*****t;liaowenting", "li*****
*****", "lichunyang",*****
*****, "liguangyi", "*****
*****ei", "lihongwei&quot*****
*****ing", "likaikai&quot*****
*****limeiwen", "limiao&quot*****
*****uot;, "linlin", &qu*****
*****uot;, "linzuxin", &q*****
*****lisali", "lishaoh*****
*****ubaojun_sx", "liub*****
*****;, "liuchuanshuang&*****
*****liufang", "liugan*****
*****liuhongjian", "li*****
*****t;liujianting", "l*****
*****ot;liujinjin", "l*****
*****ot;, "liurui", &quot*****
*****wenjie", "liuxiang*****
*****t;liuxili", "liu*****
*****yankui", "liuyonghe*****
*****liuzhengyi", "liuz*****
*****ot;, "liwei", "*****
*****lixiaoqing", "lixi*****
*****ot;, "liyingcai", &q*****
*****t;liyuming", "lizh*****
*****ot;lizhiwen", "l*****
*****quot;luanhui", "l*****
*****ot;, "luhaojie", &quo*****
*****ofengguang", "luo*****
*****ot;, "lusonglin", &qu*****
*****;lvming", "lvweik*****
*****uot;, "madong", &quo*****
*****;maming", "maning",*****
*****t;martinye", "mat*****
*****ot;, "mayue", "m*****
*****t;mirazhang", "m*****
*****iujunli", "niuliw*****
*****anxiao", "panghong*****
*****ot;, "pengcong", &quo*****
*****petertian", "piaos*****
*****uot;, "qiaoqi", &quot*****
*****njianhua", "qinxi*****
*****", "qiulu", &qu*****
*****iang", "ranlin",*****
*****;, "shangjun", &quot*****
*****enxianbin", "shenxu*****
*****ilianjun", "shiqi*****
*****;shuhuan", "shuton*****
*****ot;songjia", "son*****
*****t;, "songyangyang&q*****
*****t;songzhongliang", &quo*****
*****ot;, "sunchen", &quo*****
*****quot;, "suning", &quo*****
*****sunqi", "sunshaoc*****
*****nyanjun", "sunyin*****
*****iqiang", "tangchen*****
*****quot;, "tangqing", &q*****
*****quot;tanxu", "ta*****
*****", "tonglei", &q*****
*****ot;, "wangchengtai*****
*****ot;wangding", "wan*****
*****quot;, "wanghuanbi*****
*****;wangjichuan", "wa*****
*****k", "wangman", &*****
*****qigx", "wangqiush*****
*****wangshuguang", "w*****
*****t;, "wangweijun&qu*****
*****uot;, "wangwenjun&q*****
*****uot;, "wangxiaohui&*****
*****t;wangxuepu", "wan*****
*****;wangyidong", "wa*****
*****ngyuxiang", "wangzh*****
*****, "weiliwen", "w*****
*****uot;, "wengqifei&qu*****
*****;wujianghu", "wuj*****
*****an", "wuyan", &*****
*****ot;, "wuzhenyu", &quo*****
*****iaodi", "xiaofen*****
*****uot;, "xiaolijuan&q*****
*****t;, "xiaoxiliang&qu*****
*****iefuxiang", "xiejun*****
*****xinbaicheng", "x*****
*****t;, "xingyunhui&quo*****
*****ot;xuanhua", "xuan*****
*****quot;xuebaiji", "*****
*****", "xujing", &q*****
*****uot;, "xunana", &quo*****
*****quot;, "xuwenjie", &*****
*****yunzhong", "xuzen*****
*****uot;yangchen", "y*****
*****yanghang", "yanghan*****
*****angjianguang", "yan*****
*****angmei", "yangme*****
*****angxianghua", "yan*****
*****ot;, "yangzongfang&*****
*****ot;, "yanwen", "*****
*****ot;, "yaoxinyu", &q*****
*****uot;yezhou", "yibing&quo*****
*****inianhua", "yinji*****
*****njialu", "yuanpeng&*****
*****uot;yuanyang", "y*****
*****uot;, "yulianghuan", *****
*****t;yuxinyi", "yuxu*****
*****ngbo", "zangxiangy*****
*****uot;, "zhangbei", &qu*****
*****", "zhangchunm*****
*****ot;, "zhanghaibo&q*****
*****uot;, "zhangjian&qu*****
*****angjuanli", "zhangj*****
*****glongwen", "zhangni*****
*****zhangqing", "zhang*****
*****zhangshu", "zhangs*****
*****;, "zhangxiangpo&qu*****
*****quot;, "zhangxinwei*****
*****ot;, "zhangyashu&qu*****
*****angyukun", "zhangyu*****
*****t;, "zhaochaoyue&qu*****
*****", "zhaodonggu*****
*****t;zhaokai", "zhaok*****
*****ot;zhaoyi", "zhao*****
*****zhengkaiheng", "zh*****
*****;zhongjun", "zhongl*****
*****ot;, "zhoubaoguang&*****
*****;zhouli", "zhouni*****
*****houxiaofei", "zho*****
*****ouyuan", "zhouzhe*****
*****t;zhucheng", "zhu*****
*****n", "zhumeiqi", *****
*****;zhuxuehan", "zhuy*****
*****t;zoujing", "zoux*****
*****t;zuoxiaomo&quot*****






;
var QIYI_MAIL_ENDFIX = "@qiyi.com";
var SubmitEvent = {
	isRequestProcess : false,
	submit : function(url, methodType, postData, sucCall, errCall) {
		var self = this;
		if (self.isRequestProcess) {
			return false;
		}
		self.isRequestProcess = true;
		$.ajax({
			type : methodType,
			url : url + "?t=" + Math.random(),
			dataType : "json",
			data : postData,
			success : function(data) {
				sucCall(data);
				self.isRequestProcess = false;
				return false;
			},
			error : function() {
				self.isRequestProcess = false;
				errCall();
			}
		});
	}
};
function infoDialog(msg) {
	$('#infoMsgDialog').find("div.modal-body").html(msg);
	$('#infoMsgDialog').modal({
		backdrop : true,
		keyboard : false,
		show : true
	});
}
function initDateTimeInput() {
	$(".form_datetime").datetimepicker({
		format : 'yyyy-mm-dd hh:ii',
		startDate : "2014-03-01 00:00",
		todayBtn : true
	});
}
function initAutoUserList() {
	if ($("input[autoType=user]").length > 0) {
		$("input[autoType=user]").typeahead({
			source : QIYI_USERS,
			items : 10
		});
	}
}
function initAddJoinUser() {
	$("#addBtn").click(function() {
		var value = jQuery.trim($("input[name=join_user]").val());
		if (value != "") {
			var originUsers = jQuery.trim($("textarea[name=maillist]").val());
			if (originUsers != "") {
				originUsers += ";";
			}
			originUsers += value + QIYI_MAIL_ENDFIX;
			$("textarea[name=maillist]").val(originUsers);
			$("input[name=join_user]").val("");
		}
	});
}
function initSaveMeeting() {
	$("a[name=save]").click(
			function() {
				var creator = jQuery.trim($("select[name=creator]").val());
				var invitee = jQuery.trim($("select[name=invitee]").val());
				var begin = jQuery.trim($("input[name=begin]").val());
				var expire = jQuery.trim($("input[name=expire]").val());
				var maillist = jQuery.trim($("textarea[name=maillist]").val());
				var topic = jQuery.trim($("input[name=topic]").val());
				if (creator == invitee) {
					infoDialog("浼氳鍦板潃鍜岄個璇峰湴鍧€涓嶈兘鐩稿悓");
					return false;
				}
				if (begin == "") {
					infoDialog("璇烽€夋嫨寮€濮嬫椂闂�");
					return false;
				}
				if (expire == "") {
					infoDialog("璇烽€夋嫨缁撴潫鏃堕棿");
					return false;
				}
				if (begin >= expire) {
					infoDialog("寮€濮嬫椂闂村繀椤诲湪缁撴潫鏃堕棿涔嬪墠");
					return false;
				}
				if (maillist == "") {
					infoDialog("璇锋坊鍔犻渶瑕佸弬鍔犱細璁殑浜�");
					return false;
				}
				if (topic == "") {
					infoDialog("浼氳涓婚涓嶈兘涓虹┖");
					return false;
				}
				var postData = {
					"creator" : creator,
					"begin" : begin + ":00",
					"expire" : expire + ":59",
					"invitee" : invitee,
					"maillist" : maillist,
					"topic" : topic,
				};
				
				SubmitEvent.submit("/qiyivc/vc/web",
						"POST", postData, function(data) {
							var obj = eval(data);
							var objdata = eval(obj.data)
							if(obj.code != 200) {
							    if(obj.code == 301) {
								var timearray = objdata.timearray;
								var message = obj.message + "\n";
								message = message + "褰撳墠宸查璁㈢殑浼氳鏈�:\n"
								for( var i = 0; i < timearray.length; i++)
								    message = message + timearray[i].begin + " " + timearray[i].expire + "\n";
								alert(message);
							    } else {
								infoDialog(obj.message);
							    }
							} else {
							    alert("浼氳棰勫畾鎴愬姛锛佷細璁� ID: " + objdata.meeting_id);
							    window.location.reload();
							}
						}, function() {
							infoDialog("缃戠粶鍑虹幇寮傚父锛岃绋嶅€欏啀璇�");
						});
			});
}
initDateTimeInput();
initAutoUserList();
initAddJoinUser();
initSaveMeeting();


漏洞证明:

如上

qiyi.jpg

修复方案:

访问控制

版权声明:转载请注明来源 boooooom@乌云

漏洞回应

厂商回应:

危害等级:低

漏洞Rank:3

确认时间:2015-01-06 09:57

厂商回复:

亲,感谢提交。 视频会议系统匿名访问的问题我们3个月前已经提报给业务部门了。 我们尽快跟进,再次协商处理。 谢谢支持

最新状态:

暂无

漏洞评价:

评论