QiHang Media Web (QH.aspx) Digital Signage 3.0.9 Cleartext Credentials Disclosure

Title: QiHang Media Web (QH.aspx) Digital Signage 3.0.9 Cleartext Credentials Disclosure
Advisory ID: ZSL-2020-5579
Type: Local/Remote
Impact: Exposure of Sensitive Information, Security Bypass
Risk: (3/5)
Release Date: 13.08.2020
Summary
Digital Signage Software.
Description
The application suffers from clear-text credentials disclosure vulnerability that allows an unauthenticated attacker to issue a request to an unprotected directory that hosts an XML file '/xml/User/User.xml' and obtain administrative login information that allows for a successful authentication bypass attack.
Vendor
Shenzhen Xingmeng Qihang Media Co., Ltd. | Guangzhou Hefeng Automation Technology Co., Ltd. - http://www.howfor.com
Affected Version
3.0.9.0
Tested On
Microsoft Windows Server 2012 R2 Datacenter
Microsoft Windows Server 2003 Enterprise Edition
ASP.NET 4.0.30319
HowFor Web Server/5.6.0.0
Microsoft ASP.NET Web QiHang IIS Server
Vendor Status
[27.07.2020] Vulnerability discovered.
[28.07.2020] Vendor contacted.
[31.07.2020] No response from the vendor.
[10.08.2020] Vendor contacted.
[12.08.2020] No response from the vendor.
[13.08.2020] Public security advisory released.
PoC
qhsignage_creds.txt
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] https://packetstormsecurity.com/files/158859
[2] https://exchange.xforce.ibmcloud.com/vulnerabilities/186772
[3] https://cxsecurity.com/issue/WLB-2020080061
[4] https://www.exploit-db.com/exploits/48748
Changelog
[13.08.2020] - Initial release
[14.08.2020] - Added reference [1], [2] and [3]
[18.08.2020] - Added reference [4]
Contact
Zero Science Lab

Web: https://www.zeroscience.mk
e-mail: lab@zeroscience.mk