QiHang Media Web Digital Signage Unauthenticated Arbitrary File Deletion Vulnerability

An unauthenticated file deletion vulnerability has been identified in QiHang Media Web Digital Signage version 3.0.9. The issue resides in the QH.aspx endpoint, where the 'data' parameter is not properly sanitized before being used to delete files. This vulnerability allows remote attackers to delete arbitrary files with the permissions of the web server, using absolute file paths or directory traversal sequences. The vulnerability was tested and confirmed on multiple versions of Windows Server.

Impact

Exploitation of this vulnerability allows for unauthorized deletion of files on the server, potentially leading to disruption of services or loss of important data.

Reproduction

To reproduce this vulnerability, send a POST request to the QH.aspx endpoint with the 'data' parameter containing the file paths of the files to be deleted. The request must be made without authentication, and the file paths can include directory traversal sequences to bypass restrictions and delete arbitrary files.