← Advisories

All-Dynamics Software enlogic:show Digital Signage System 2.0.2 Session Fixation

Medium

Advisory ID

ZSL-2020-5577

Release Date

31 July 2020

Vendor

All-Dynamics Software GmbH - https://www.all-dynamics.de

Affected Version

2.0.2 (Build 2098) ILP32W 0/1/3/1597919619

CVE

CVE-2020-36913

Tested On

enlogic:show server, Microsoft Windows Server 2019, Microsoft Windows Server 2016, Microsoft Windows Server 2012, Microsoft Windows 10, GNU/Linux, Apache, PHP

Summary

Bring communication with your customers, guests or employees to a new level. You can design content individually and uncomplicated centrally and simply present it in different locations. Whether on large displays, steles, digital signs or on a projector, with enlogic:show your content will appear on the selected display in a calendar-controlled and precise manner.

Description

The initial visit from the welcome.php screen to the login page sets a random PHP session identifier in the URL using HTTP GET request. An attacker can forge the request sent to the victim setting a fixated PHP session that can be used to bypass authentication and execute further attacks via CSRF.

Proof of Concept

enlogic_fixation.txtTXT

Disclosure Timeline

21.07.2020Vulnerability discovered.

24.07.2020Vendor contacted.

24.07.2020Vendor creates Ticket#2020072410000011.

27.07.2020Vendor responds asking more details.

27.07.2020Sent details to the vendor.

29.07.2020Vendor confirms the issue scheduling new fixed version release.

29.07.2020Replied to the vendor.

31.07.2020Vendor releases version 2.0.3 (Build 2102) that addresses this issue.

31.07.2020Coordinated public security advisory release.