QiHang Media Web (QH.aspx) Digital Signage 3.0.9 Arbitrary File Disclosure Vulnerability

Title: QiHang Media Web (QH.aspx) Digital Signage 3.0.9 Arbitrary File Disclosure Vulnerability
Advisory ID: ZSL-2020-5581
Type: Local/Remote
Impact: Exposure of System Information, Exposure of Sensitive Information
Risk: (3/5)
Release Date: 13.08.2020
Summary
Digital Signage Software.
Description
The application suffers from an unauthenticated file disclosure vulnerability when input passed thru the 'filename' parameter when using the download action or thru 'path' parameter when using the getAll action is not properly verified before being used. This can be exploited to disclose contents of files and directories from local resources.
Vendor
Shenzhen Xingmeng Qihang Media Co., Ltd. | Guangzhou Hefeng Automation Technology Co., Ltd. - http://www.howfor.com
Affected Version
3.0.9.0
Tested On
Microsoft Windows Server 2012 R2 Datacenter
Microsoft Windows Server 2003 Enterprise Edition
ASP.NET 4.0.30319
HowFor Web Server/5.6.0.0
Microsoft ASP.NET Web QiHang IIS Server
Vendor Status
[27.07.2020] Vulnerability discovered.
[28.07.2020] Vendor contacted.
[31.07.2020] No response from the vendor.
[10.08.2020] Vendor contacted.
[12.08.2020] No response from the vendor.
[13.08.2020] Public security advisory released.
PoC
qhsignage_lfi.txt
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] https://packetstormsecurity.com/files/158861
[2] https://cxsecurity.com/issue/WLB-2020080062
[3] https://exchange.xforce.ibmcloud.com/vulnerabilities/186773
[4] https://www.exploit-db.com/exploits/48750
Changelog
[13.08.2020] - Initial release
[14.08.2020] - Added reference [1], [2] and [3]
[18.08.2020] - Added reference [4]
Contact
Zero Science Lab

Web: https://www.zeroscience.mk
e-mail: lab@zeroscience.mk