QiHang Media Web Digital Signage Unauthenticated Arbitrary File Disclosure Vulnerability

An unauthenticated file disclosure vulnerability has been identified in QiHang Media Web Digital Signage version 3.0.9. The vulnerability allows remote attackers to access sensitive files by exploiting unverified 'filename' and 'path' parameters. This issue occurs in the QH.aspx endpoint, where attackers can manipulate download and getAll actions to read arbitrary files and directory contents without authentication.

Impact

Exploitation of this vulnerability leads to unauthorized access to sensitive files and directory information on the server.

Reproduction

The vulnerability can be reproduced by sending a GET request to the QH.aspx endpoint with the 'filename' parameter set to traverse directories and access sensitive files, such as the Web.config or Global.asax. Alternatively, a POST request can be sent to the same endpoint with the 'path' parameter to disclose directory contents.