Protecting Against Sensitive Information Leaks and Unauthorized Access: A Comprehensive Case Study Analysis

Case Study 1: Sensitive Information Leak through Unauthorized Password Reset

Yilongdai Vulnerability Package (Sensitive Information Leak and Password Reset Vulnerability) https://wy.zone.ci/bug_detail.php?wybug_id=wooyun-2015-0124387

Security Risk 【Resolved】:

1. Yilongdai’s password recovery process (http://**.**.**.**/page/findpwdEmail.jsp?email=**@**.com) has two steps: 1. Email verification code to verify identity; 2. Reset login password.
2. The attack also has two steps: 1. Use your own email verification code for identity verification; 2. During the password reset process, intercept the request and change your email address to the victim’s email address to reset the victim’s password.
3. Actual attacks are more complex: 1. In the second step of resetting the victim’s password, in addition to the victim’s email address, the victim’s account ID is also required. Fortunately, the victim’s account ID can be obtained in the first step of identity verification; 2. In the second step of resetting the victim’s password, before intercepting the request and changing your email address to the victim’s email address, you need to perform the first step of sending the email verification code to the victim’s email address to successfully reset the victim’s password.

Security Recommendations:

1. Accounts requiring password resets should be those that have completed identity verification and should not be affected by other user-controllable and modifiable parameters.

Case Study 2: Sensitive Information Leak – Unauthorized Access to Shipping Addresses

Jumei Youpin Arbitrary User Shipping Address Viewing (Including Username, Contact Number, and Detailed Address) https://wy.zone.ci/bug_detail.php?wybug_id=wooyun-2014-083201

Security Risk 【Resolved】:

1. When shopping on Jumei Youpin, after placing an order, go to the payment page (http://**.**.**.**/i/MobileWap/pay/?batch_trade_number=**&gateway_name=&gateway=AlipayMobileWap&address_id=48218711&logistic_preference=&prefer_delivery_day=) to confirm the information and click to pay. The information to be confirmed includes the shipping address (name, phone number, detailed address), etc.
2. The address_id parameter on this payment page can be enumerated to obtain the shipping address information of all users on Jumei Youpin.

Security Recommendations:

1. Use user cookies to view information, not user-controllable and modifiable URL parameters.

Case Study 3: Sensitive Information Leak – Unauthorized Access to Housing Provident Fund Details

Wuhan Housing Personal Provident Fund Arbitrary Detail Inquiry https://wy.zone.ci/bug_detail.php?wybug_id=wooyun-2013-020375

Security Risk 【Resolved】:

1. In the request parameters of the Wuhan Housing Provident Fund page (http://**.**.**.**/4.asp) (bank=XX&wd=XXXX&dwzh=XXXXXXX&xgrzh=XXXXXXXXX&jgrzh=&grzh=XXXXXXXXX&name=XXXXXXXXXXXXXXXXXX&Submit=XXXXXXXXXXXXXXXXXX), modifying the xgrzh parameter can view the provident fund payment details of other people.

Security Recommendations:

1. Use user cookies to view information, not user-controllable and modifiable URL parameters.

Case Study 4: Sensitive Information Leak Through Unauthorized Access to Personal Resumes

China Footwear Talent Network 450,000 Resumes Leaked https://wy.zone.ci/bug_detail.php?wybug_id=wooyun-2015-0146823

Security Risk 【Resolved】:

1. The China Footwear Talent Network has an unauthorized access vulnerability (http://**.**.**.**/manage/talent/cn/infoView.action?talent.id=543095). The id value ranges from 100000, and enumerating the id can download all resumes, including personal details such as name, phone number, date of birth, and home address.

Security Recommendations:

1. Use user cookies to view information, not user-controllable and modifiable URL parameters.

Case Study 5: Unauthorized Account Registration

Jinyingdao Improper Configuration of a Certain Station Can Leak Internal Information https://wy.zone.ci/bug_detail.php?wybug_id=wooyun-2015-0126637

Security Risk 【Resolved】:

1. Jinyingdao’s JIRA (http://**.**.**.**:8888/) allows account registration. After logging in, you can view project progress and division of labor.

Security Recommendations:

1. Prohibit account registration for internal corporate systems. Accounts should be created by administrators, or integrated with the company’s 4A, SSO, domain control, and other account management platforms.

Case Study 6: Unauthorized Access to Backend Address

Fanno Enterprise Website Management System Backend Bypass https://wy.zone.ci/bug_detail.php?wybug_id=wooyun-2013-043237

Security Risk 【Resolved】:

1. The Fanno Enterprise Website Management System backend (http://**.**.**.**/admin/main/site_info.asp) can be accessed without authorization.

Security Recommendations:

1. All backend addresses should only be accessible after verifying cookies or other identity credentials.

Case Study 7: Unauthorized Export of Account Passwords

Jiangnan Keyou Bastion Host Direct Acquisition of Host Account Credentials/IP/Exposure of Physical Path https://wy.zone.ci/bug_detail.php?wybug_id=wooyun-2015-0135704

Security Risk 【Resolved】:

1. Accessing the Jiangnan Keyou Bastion Host address (http://**.**.**.**/excel/sso_user_export.php) can export a list of cleartext account passwords (user.xls) from the Bastion Host, while these credentials are stored in the database using SHA1 encryption.

Security Recommendations:

1. All backend addresses should only be accessible after verifying cookies or other identity credentials.

Case Study 8: Unauthorized Download of Account Passwords

Bohua Wanglong Firewall Series Product XML Database File Unauthorized Access (Can Log In to Device) https://wy.zone.ci/bug_detail.php?wybug_id=wooyun-2016-0207791

Security Risk 【Resolved】:

1. Bohua Wanglong Firewall has an unauthorized access vulnerability (http://**.**.**.**/xml/users.xml), allowing download of a cleartext account password list (users.xml) for the firewall, enabling login to the firewall.

Security Recommendations:

1. All backend addresses should only be accessible after verifying cookies or other identity credentials.

Case Study 9: Unauthorized Access to Redis Service

Unauthorized Access to 263 Communications Service Leading to Direct Shell Access to the Internal Network (Affecting the Security of Hundreds of Hosts) https://wy.zone.ci/bug_detail.php?wybug_id=wooyun-2016-0210705

Security Risk 【Resolved】:

1. The 263 company’s Redis service (redis://**.**.**.**:6381) is open to the internet and has an unauthorized access vulnerability, allowing the writing of scheduled tasks to bounce back a shell and gain server control permissions. Using the nmap tool to probe this server (192.168.167.60) reveals 35 servers in the C segment.

Security Recommendations:

1. It is recommended to configure the Redis service for local access only. Configure in /etc/redis.conf: bind 127.0.0.1;
2. It is recommended to set up access whitelisting in the operating system using the command: iptables -A INPUT -s **.**.**.** -p tcp –dport 6379 -j ACCEPT;
3. It is recommended to set password authentication. Configure in /etc/redis.conf: requirepass ****************;

Case Study 10: Anonymous Access to FTP Service + Web Backdoor Upload

ZTE Energy Photovoltaic Power Station Remote Monitoring System Easily Achieves Remote Login https://wy.zone.ci/bug_detail.php?wybug_id=wooyun-2016-0169983

Security Risk 【Resolved】:

1. ZTE Energy’s photovoltaic power station remote monitoring system opens FTP service (port 21) and Web service (port 8222). The FTP service allows anonymous access, allowing the upload of Trojans (**.**.**.**/a.aspx) to the Web directory, and access via the Web service (**.**.**.**:8222/a.aspx) to gain server control permissions.

Security Recommendations:

1. Prohibit anonymous FTP access;
2. Prohibit opening maintenance FTP services to the internet.