piSignage 2.6.4 Directory Traversal

2020.01.08
Credit: JunYeong Ko
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-22


CVSS Base Score: 4/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8/10
Exploit range: Remote
Attack complexity: Low
Authentication: Single time
Confidentiality impact: Partial
Integrity impact: None
Availability impact: None

# Exploit Title: piSignage 2.6.4 - Directory Traversal # Date: 2019-11-13 # Exploit Author: JunYeong Ko # Vendor Homepage: https://pisignage.com/ # Version: piSignage before 2.6.4 # Tested on: piSignage before 2.6.4 # CVE : CVE-2019-20354 Summary: The web application component of piSignage before 2.6.4 allows a remote attacker (authenticated as a low-privilege user) to download arbitrary files from the Raspberry Pi via api/settings/log?file=../ path traversal. In other words, this issue is in the player API for log download. PoC: 1. Click the Log Download button at the bottom of the 'piSignage' administration page. 2. HTTP Packet is sent when the button is pressed. 3. Change the value of 'file' parameter to ../../../../../../../../../../etc/passwd. 4. You can see that the /etc/passwd file is read. References: https://github.com/colloqi/piSignage/issues/97


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top