Zero Science Lab » QiHang Media Web (QH.aspx) Digital Signage 3.0.9 Cleartext Credentials Disclosure

QiHang Media Web (QH.aspx) Digital Signage 3.0.9 Cleartext Credentials Disclosure

Title: QiHang Media Web (QH.aspx) Digital Signage 3.0.9 Cleartext Credentials Disclosure
Advisory ID: ZSL-2020-5579
Type: Local/Remote
Impact: Exposure of Sensitive Information, Security Bypass
Risk: (3/5)
Release Date: 13.08.2020

Summary

Digital Signage Software.

Description

The application suffers from clear-text credentials disclosure vulnerability that allows an unauthenticated attacker to issue a request to an unprotected directory that hosts an XML file '/xml/User/User.xml' and obtain administrative login information that allows for a successful authentication bypass attack.

Vendor

Shenzhen Xingmeng Qihang Media Co., Ltd. | Guangzhou Hefeng Automation Technology Co., Ltd. - http://www.howfor.com

Affected Version

3.0.9.0

Tested On

Microsoft Windows Server 2012 R2 Datacenter
Microsoft Windows Server 2003 Enterprise Edition
ASP.NET 4.0.30319
HowFor Web Server/5.6.0.0
Microsoft ASP.NET Web QiHang IIS Server

Vendor Status

[27.07.2020] Vulnerability discovered.
[28.07.2020] Vendor contacted.
[31.07.2020] No response from the vendor.
[10.08.2020] Vendor contacted.
[12.08.2020] No response from the vendor.
[13.08.2020] Public security advisory released.

PoC

qhsignage_creds.txt

Credits

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>

References

[1] https://packetstormsecurity.com/files/158859
[2] https://exchange.xforce.ibmcloud.com/vulnerabilities/186772
[3] https://cxsecurity.com/issue/WLB-2020080061
[4] https://www.exploit-db.com/exploits/48748

Changelog

[13.08.2020] - Initial release
[14.08.2020] - Added reference [1], [2] and [3]
[18.08.2020] - Added reference [4]

Contact

Zero Science Lab

Web: https://www.zeroscience.mk
e-mail: lab@zeroscience.mk