记录黑客技术中优秀的内容,传播黑客文化,分享黑客技术精华

搜狐畅游敏感信息泄露

2015-03-28 14:00

github源码,导致内部邮箱泄露

code 区域
https://github.com/lili6/tessar-server/blob/0f76d068af65a783d16d5124e576c323d292825c/tessar/src/main/java/com/cyou/scheduler/crashscheduler/db/mongodb/SendEMailMongoDBPage.java



code 区域
String smtp = "smtp.cyou-inc.com";// smtp服务器

String from = "[email protected] ";// 邮件显示名称

String to[] = {"[email protected] ","[email protected] ","[email protected] ","[email protected] ","[email protected] ",

"[email protected] ","[email protected] ","[email protected] ","[email protected] ","[email protected] ",

"[email protected] ","[email protected] ","[email protected] ","[email protected] ","[email protected] ","[email protected] ",

"[email protected] ","[email protected] ","[email protected] ","[email protected] "};// 收件人的邮件地址,必须是真实地址

String copyto[] = {""};// 抄送人邮件地址

String bcopyto[] = {"[email protected] "};// 加密抄送人邮件地址

String subject = "";// 邮件标题

String content = "";// 邮件内容

String username = "CrashReport";// 发件人真实的账户名

String password = "abcd.1234";// 发件人密码



CrashReport

abcd.1234

成功登陆内部邮箱

mail.cyou-inc.com

1111.png

漏洞证明:

1111.png



code 区域
String smtp = "smtp.cyou-inc.com";// smtp服务器

String from = "[email protected] ";// 邮件显示名称

String to[] = {"[email protected] ","[email protected] ","[email protected] ","[email protected] ","[email protected] ",

"[email protected] ","[email protected] ","[email protected] ","[email protected] ","[email protected] ",

"[email protected] ","[email protected] ","[email protected] ","[email protected] ","[email protected] ","[email protected] ",

"[email protected] ","[email protected] ","[email protected] ","[email protected] "};// 收件人的邮件地址,必须是真实地址

String copyto[] = {""};// 抄送人邮件地址

String bcopyto[] = {"[email protected] "};// 加密抄送人邮件地址

String subject = "";// 邮件标题

String content = "";// 邮件内容

String username = "CrashReport";// 发件人真实的账户名

String password = "abcd.1234";// 发件人密码

修复方案:


知识来源: www.wooyun.org/bugs/wooyun-2015-096683

阅读:114228 | 评论:0 | 标签:无

想收藏或者和大家分享这篇好文章→复制链接地址

“搜狐畅游敏感信息泄露”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

ADS

标签云

本页关键词