Sogou pass server operation and maintenance improper lead to information disclosure-vulnerability warning-the black bar safety net

2014-05-24T00:00:00
ID MYHACK58:62201447637
Type myhack58
Reporter 佚名
Modified 2014-05-24T00:00:00

Description

Sogou pass server operation and maintenance improper Server sensitive information disclosure

Recently broke the openssl heartbleed vulnerability, this evening there have been detailed articles and the use of tools, a detailed analysis of the articles can be seen below:

https://account.sogou.com

The original English version of the article

http://blog.existentialize.com/diagnosis-of-the-openssl-heartbleed-bug.html

Domestic translation of the Chinese version

http://drops.wooyun.org/papers/1381

Using the script:

http://s3.jspenguin.org/ssltest.py

The specific hazard it is to be read on the server for a period of 64kb size of the memory, the specific impact depends on the business scenario.

Here sogou passes can be read into the cookie content, so it is still very important.

python openssl.py account.sogou.com

!

Repair solutions:

1, only affect openssl 1.0.1 to 1.0.1 f versions, and openssl 1.0.2 beta versions, other versions are not affected, Non-Affected version does not need to be repaired

2, the 1.0.1 g version has been fixed the vulnerability, if the server on the openssl version there is the vulnerability, please upgrade to this version