B-swiss 3 Digital Signage System 3.6.5 Database Disclosure

Title: B-swiss 3 Digital Signage System 3.6.5 Database Disclosure
Advisory ID: ZSL-2020-5588
Type: Local/Remote
Impact: Exposure of System Information, Exposure of Sensitive Information, Security Bypass
Risk: (4/5)
Release Date: 19.09.2020
Summary
Intelligent digital signage made easy. To go beyond the possibilities offered, b-swiss allows you to create the communication solution for your specific needs and your graphic charter. You benefit from our experience and know-how in the realization of your digital signage project.
Description
The application is vulnerable to unauthenticated database download and information disclosure vulnerability. This can enable the attacker to disclose sensitive information resulting in authentication bypass, session hijacking and full system control.
Vendor
B-Swiss SARL | b-tween Sarl - https://www.b-swiss.com
Affected Version
3.6.5
3.6.2
3.6.1
3.6.0
3.5.80
3.5.40
3.5.20
3.5.00
3.2.00
3.1.00
Tested On
Linux 5.3.0-46-generic x86_64
Linux 4.15.0-20-generic x86_64
Linux 4.9.78-xxxx-std-ipv6-64
Linux 4.7.0-040700-generic x86_64
Linux 4.2.0-27-generic x86_64
Linux 3.19.0-47-generic x86_64
Linux 2.6.32-5-amd64 x86_64
Darwin 17.6.0 root:xnu-4570.61.1~1 x86_64
macOS 10.13.5
Microsoft Windows 7 Business Edition SP1 i586
Apache/2.4.29 (Ubuntu)
Apache/2.4.18 (Ubuntu)
Apache/2.4.7 (Ubuntu)
Apache/2.2.22 (Win64)
Apache/2.4.18 (Ubuntu)
Apache/2.2.16 (Debian)
PHP/7.2.24-0ubuntu0.18.04.6
PHP/5.6.40-26+ubuntu18.04.1+deb.sury.org+1
PHP/5.6.33-1+ubuntu16.04.1+deb.sury.org+1
PHP/5.6.31
PHP/5.6.30-10+deb.sury.org~xenial+2
PHP/5.5.9-1ubuntu4.17
PHP/5.5.9-1ubuntu4.14
PHP/5.3.10
PHP/5.3.13
PHP/5.3.3-7+squeeze16
PHP/5.3.3-7+squeeze17
MySQL/5.5.49
MySQL/5.5.47
MySQL/5.5.40
MySQL/5.5.30
MySQL/5.1.66
MySQL/5.1.49
MySQL/5.0.77
MySQL/5.0.12-dev
MySQL/5.0.11-dev
MySQL/5.0.8-dev
phpMyAdmin/3.5.7
phpMyAdmin/3.4.10.1deb1
phpMyAdmin/3.4.7
phpMyAdmin/3.3.7deb7
WampServer 3.2.0
Acore Framework 2.0
Vendor Status
[13.06.2020] Vulnerability discovered.
[15.07.2020] Vendor contacted. (webform)
[17.07.2020] No response from the vendor.
[18.07.2020] Vendor contacted. (email)
[21.07.2020] Vendor responds asking more details.
[21.07.2020] Sent overview to the vendor asking for secure channel.
[23.07.2020] No response from the vendor.
[24.07.2020] Asked vendor for comment/update/status.
[27.07.2020] Vendor asks more details.
[27.07.2020] Sent details to the vendor.
[29.07.2020] Asked vendor for status update.
[30.07.2020] Vendor responds with questions.
[30.07.2020] Replied to the vendor.
[31.07.2020] Vendor looking into roadmap for the problems identified.
[03.08.2020] Replied to the vendor.
[05.08.2020] Vendor responds, if the reported vulnerabilities are applicable they will create patch for customers.
[06.08.2020] Asked vendor for patch milestone.
[06.08.2020] Vendor doesn't know.
[18.08.2020] Asked vendor for status update.
[18.09.2020] No reponse from the vendor.
[18.09.2020] Asked vendor for status update.
[18.09.2020] Vendor refuses to provide any further information.
[18.09.2020] Replied to the vendor, advisory release scheduled 19.09.2020.
[18.09.2020] Vendor working on fix, will inform us when issues have been solved.
[18.09.2020] Replied to the vendor.
[19.09.2020] Public security advisory released.
PoC
bswiss_db.txt
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] https://packetstormsecurity.com/files/159230
[2] https://www.exploit-db.com/exploits/48834
[3] https://cxsecurity.com/issue/WLB-2020090121
[4] https://exchange.xforce.ibmcloud.com/vulnerabilities/188578
[5] https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-22006
[6] https://nvd.nist.gov/vuln/detail/CVE-2020-22006
Changelog
[19.09.2020] - Initial release
[30.09.2020] - Added reference [1], [2], [3] and [4]
[19.06.2021] - Added reference [5] and [6]
Contact
Zero Science Lab

Web: https://www.zeroscience.mk
e-mail: lab@zeroscience.mk