https://(affectedserver)/wc.dll?wwMaint~EditConfig
The customized webserver used by iChannel is based on an outdated and vulnerable version of WestWind Webserver. This page is available, unauthenticated, to a malicious attacker.
By visiting this link, the attacker can access the webserver configuration edit page. This page reveals sensitive information, allows for alteration of the webserver configuration, upload/modification of the server's configuration and can result in a Denial of Service attack by deleting the configuration.
This has been acknowledged by Conarc and they have been notified of the impact.
If your iChannel install is available publicly, this can result in complete compromise of the server, the web application and severe information leakage/DOS.
Resolution:
Conarc has been notified of this issue. Until this issue is patched, the affected installs should be removed from public access. In the case of private deployments, this page should have an ACL applied to prevent unauthenticated access to this page.
Tuesday, December 19, 2017
Friday, December 15, 2017
BrightSign - Multiple Vulnerablities - CVE-2017-17737, 17738, 17739
The BrightSign Digital Signage (4k242) device (Firmware 6.2.63 and below) suffers from multiple vulnerabilities.
The pages:
/network_diagnostics.html
/storage_info.html
Suffer from a Cross-Site Scripting vulnerability. The REF parameter for these pages do not sanitize user input, resulting in arbitrary execution, token theft and related attacks.
The RP parameter in STORAGE.HTML suffers from a directory traversal/information leakage weakness:
/storage.html?rp=%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2Fetc
Through parameter manipulation, the file system can be traversed, unauthenticated, allowing for leakage of information and compromise of the device.
This page also allows for unauthenticated upload of files.
/tools.html
Page allows for unauthenticated rename/manipulation of files.
When combined, these vulnerabilities allow for compromise of both end users and the device itself.
Ex. A malicious attacker can upload a malicious page of their choosing and steal credentials, host malicious content or distribute content through the device, which accepts large format SD cards.
The pages:
/network_diagnostics.html
/storage_info.html
Suffer from a Cross-Site Scripting vulnerability. The REF parameter for these pages do not sanitize user input, resulting in arbitrary execution, token theft and related attacks.
The RP parameter in STORAGE.HTML suffers from a directory traversal/information leakage weakness:
/storage.html?rp=%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2Fetc
Through parameter manipulation, the file system can be traversed, unauthenticated, allowing for leakage of information and compromise of the device.
This page also allows for unauthenticated upload of files.
/tools.html
Page allows for unauthenticated rename/manipulation of files.
When combined, these vulnerabilities allow for compromise of both end users and the device itself.
Ex. A malicious attacker can upload a malicious page of their choosing and steal credentials, host malicious content or distribute content through the device, which accepts large format SD cards.
Subscribe to:
Posts (Atom)