Eibiz i-Media Server Digital Signage Configuration Disclosure Vulnerability

A configuration disclosure vulnerability has been identified in Eibiz i-Media Server Digital Signage version 3.8.0. This vulnerability allows remote attackers to access sensitive configuration files, such as the SiteConfig.properties file, through direct object references via HTTP GET requests. The exposed files can reveal administrative credentials, database connection details, and other system configuration information.

Impact

Exploitation of this vulnerability leads to unauthorized access to sensitive configuration information, including administrative credentials and database details. This exposure could facilitate authentication bypass, privilege escalation, or full system access.

Reproduction

The vulnerability can be reproduced by sending an HTTP GET request to the server with a direct reference to the SiteConfig.properties file. This can be done using a web browser or a tool like curl. The request will return the contents of the configuration file, which includes sensitive information such as usernames, passwords, and database connection details.