艺龙网某站点svn泄漏源代码

编号117687
Urlhttp://www.wooyun.org/bug.php?action=view&id=117687
漏洞状态厂商已经确认
漏洞标题艺龙网某站点svn泄漏源代码
漏洞类型敏感信息泄露
厂商艺龙旅行网
白帽子lijiejie
提交日期2015-06-02 12:20:00
公开日期2015-07-17 15:42:00
修复时间(not set)
确认时间2015-06-02 00:00:00
Confirm Spend0
漏洞标签
关注数0
收藏数0
白帽评级
白帽自评rank6
厂商评级
厂商评rank8
漏洞简介
艺龙网某站点svn泄漏源代码, 可获取数据库帐号
漏洞细节

SVN泄漏:

http://ssl.elong.com/hotel2/.svn/entries


elong.png

POC

<?php
if(!defined('IN_ELONGSDK')) {
exit('Access Denied');
}
$_SC = array();
//数据库参数配置
$_SC['dbhost'] = '211.151.230.166'; //服务器地址
$_SC['dbuser'] = 'lohoo'; //用户
$_SC['dbpw'] = 'lohoonopass123'; //密码
//数据库参数配置
$_SC['dbhost'] = '127.0.0.1'; //服务器地址
$_SC['dbuser'] = 'root'; //用户
$_SC['dbpw'] = 'root'; //密码
$_SC['dbcharset'] = 'utf8'; //字符集
$_SC['pconnect'] = 0; //是否持续连接
$_SC['dbname'] = 'elongsdk'; //数据库
$_SC['charset'] = 'utf-8'; //页面字符集
//程序参数配置
$_SC['gzipcompress'] = 0; //启用gzip
$_SC['template'] = ''; //选择模板目录
$_SC['timeoffset'] = 8; //时区偏移量
$_SC['gzipcompress'] = 0; //是否启用gzip
$_SC['lang'] = "cn"; //语言 cn,en
$_SC['lang_num'] = "2"; //如果部署中英文版值为2,值为2时,域名/en/目录为英文版,默认为1

//合作伙伴参数配置
$_SC['elongcard'] = '617265612'; //elong分配的代理卡号
$_SC['orderfrom'] = '5062'; //elong分配的orderfrom值
$_SC['agencyid'] = 'AP0016114'; //elong分配的代理编号
$_SC['api_user'] = 'AP0016114'; //elong分配的api访问用户名
$_SC['api_password'] = 'AP0016114'; //elong分配的api访问密码
$_SC['endpoint'] ='http://114-svc.elong.com/NorthBoundService/V1.1/NorthBoundAPIService.asmx?WSDL';
$_SC['fanli'] ='http://jump.fanli.qq.com/redirect.php?mall_id=10043&force_login=1&login_type=1&show_page=0';
//test api server
//$_SC['endpoint'] ='http://192.168.9.24/newNorthBoundService/V1.1/NorthBoundAPIService.asmx?WSDL';
//test api server
//测试
//$_SC['endpoint'] ='http://211.151.230.209/NewNorthBoundService/V1.1/NorthBoundAPIService.asmx?WSDL';
$_sc['timeout'] =30; //api的超时时间
//网站中文参数
$_SC['web_url'] = "http://go.qq.com/"; //网站域名
$_SC['local_url'] = "http://qq.elong.com";
$_SC['web_name'] = ""; //网站名称
$_SC['web_tel'] = "4006-997788"; //预订电话
$_SC['web_beian'] = ""; //备案号
$_SC['apiorder'] = 0; //0为链接到elong完成预定,1为通过api完成预定
$_SC['book'] = '酒店预订';
//导航城市
//地标分类
$pointtypes = array(
'1'=>'景点',
'2'=>'主题',
'3'=>'交通',
'4'=>'医院',
'5'=>'商企行政',
'7'=>'生活服务',
'8'=>'购物',
'9'=>'餐馆',
'10'=>'学校',
);
$urlcode=urlencode("http://".$_SERVER ['HTTP_HOST'].$_SERVER['PHP_SELF']."?".$_SERVER['QUERY_STRING']);
?>

修复方案

删除.svn文件夹

状态信息 2015-06-02: 细节已通知厂商并且等待厂商处理中
2015-06-02: 厂商已经确认,细节仅向厂商公开
2015-06-12: 细节向核心白帽子及相关领域专家公开
2015-06-22: 细节向普通白帽子公开
2015-07-02: 细节向实习白帽子公开
2015-07-17: 细节向公众公开
厂商回复已确认,谢谢
回应信息危害等级:中漏洞Rank:8 确认时间:2015-06-02 15:40