Zero Science Lab » QiHang Media Web (QH.aspx) Digital Signage 3.0.9 Arbitrary File Disclosure Vulnerability

QiHang Media Web (QH.aspx) Digital Signage 3.0.9 Arbitrary File Disclosure Vulnerability

Title: QiHang Media Web (QH.aspx) Digital Signage 3.0.9 Arbitrary File Disclosure Vulnerability
Advisory ID: ZSL-2020-5581
Type: Local/Remote
Impact: Exposure of System Information, Exposure of Sensitive Information
Risk: (3/5)
Release Date: 13.08.2020

Summary

Digital Signage Software.

Description

The application suffers from an unauthenticated file disclosure vulnerability when input passed thru the 'filename' parameter when using the download action or thru 'path' parameter when using the getAll action is not properly verified before being used. This can be exploited to disclose contents of files and directories from local resources.

Vendor

Shenzhen Xingmeng Qihang Media Co., Ltd. | Guangzhou Hefeng Automation Technology Co., Ltd. - http://www.howfor.com

Affected Version

3.0.9.0

Tested On

Microsoft Windows Server 2012 R2 Datacenter
Microsoft Windows Server 2003 Enterprise Edition
ASP.NET 4.0.30319
HowFor Web Server/5.6.0.0
Microsoft ASP.NET Web QiHang IIS Server

Vendor Status

[27.07.2020] Vulnerability discovered.
[28.07.2020] Vendor contacted.
[31.07.2020] No response from the vendor.
[10.08.2020] Vendor contacted.
[12.08.2020] No response from the vendor.
[13.08.2020] Public security advisory released.

PoC

qhsignage_lfi.txt

Credits

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>

References

[1] https://packetstormsecurity.com/files/158861
[2] https://cxsecurity.com/issue/WLB-2020080062
[3] https://exchange.xforce.ibmcloud.com/vulnerabilities/186773
[4] https://www.exploit-db.com/exploits/48750

Changelog

[13.08.2020] - Initial release
[14.08.2020] - Added reference [1], [2] and [3]
[18.08.2020] - Added reference [4]

Contact

Zero Science Lab

Web: https://www.zeroscience.mk
e-mail: lab@zeroscience.mk