Sina

technology news March 22nd evening news, vulnerability reporting platform cloud network on its website today announced a network security vulnerability information, pointed out that Ctrip secure payment log can traverse download, resulting in a large number of users bank card information disclosure (including cardholder name card, bank card number, CVV code, 6 Bin card). And that the details of the notification has been waiting for manufacturers and vendors processing. In addition, Ctrip Ctrip also traced a sub station can directly download the source code package.

vulnerability details:

due to the use of the user to pay for the security of the server to pay for the existence of debugging interface debugging function, the user will pay the record with the text saved. At the same time because the payment server logs saved the school without making stringent baseline security configuration, directory traversal vulnerability exists, causing all payment process debugging information can be read by any hacker.

so-called traversal is usually referred to as a search path, each node in the tree are done once and only once to visit. This is classified as sensitive information leakage, the vulnerability may lead to a large number of Ctrip cardholder name card, bank card number, card CVV code, 6 card Bin and other information leakage.

Ctrip has already started an investigation this vulnerability, to date, has not yet given an official response. (Shu Shi)

extension reading: if you are Ctrip users, please pay attention to the head of the Security Cloud