← Advisories

QiHang Media Web (QH.aspx) Digital Signage 3.0.9 Unauthenticated Arbitrary File Deletion

High

Advisory ID

ZSL-2020-5580

Release Date

13 August 2020

Vendor

Shenzhen Xingmeng Qihang Media Co., Ltd., Guangzhou Hefeng Automation Technology Co., Ltd. - http://www.howfor.com

Affected Version

3.0.9.0

CVE

N/A

Tested On

Microsoft Windows Server 2012 R2 Datacenter, Microsoft Windows Server 2003 Enterprise Edition, ASP.NET 4.0.30319, HowFor Web Server/5.6.0.0, Microsoft ASP.NET Web QiHang IIS Server

Summary

Digital Signage Software.

Description

Input passed to the 'data' parameter in 'QH.aspx' for delete action is not properly sanitised before being used to delete files. This can be exploited by an unauthenticated attacker to delete files with the permissions of the web server using their absolute path or via directory traversal sequences passed within the affected POST parameter.

Proof of Concept

qhsignage_del.txtTXT

Disclosure Timeline

27.07.2020Vulnerability discovered.

28.07.2020Vendor contacted.

31.07.2020No response from the vendor.

10.08.2020Vendor contacted.

12.08.2020No response from the vendor.

13.08.2020Public security advisory released.

Credits

Vulnerability discovered by Gjoko Krstic

References

[1]https://packetstormsecurity.com/files/158860

[2]https://exchange.xforce.ibmcloud.com/vulnerabilities/186774

[3]https://www.exploit-db.com/exploits/48749

Changelog

13.08.2020Initial release

14.08.2020Added reference [1] and [2]

18.08.2020Added reference [4]