Verysync 微力同步 Web Administration Module Information Disclosure Vulnerability

An arbitrary file download vulnerability has been identified in the Web Administration Module of Verysync 微力同步 version 2.21.3. This vulnerability arises because the module's core interface lacks proper identity authentication, allowing attackers to remotely access and download synchronization files as well as sensitive system files from the target device. The vulnerability is currently public and exploitable, with no authentication required for exploitation.

Impact

Exploitation of this vulnerability allows for unauthorized access to synchronization files and sensitive system files on the target device.

Reproduction

The vulnerability can be reproduced by sending a POST request to the '/safebrowsing/clientreport/download' endpoint with a 'key' parameter. This request can be made without any authentication, and it will result in the download of arbitrary files, such as the '/etc/passwd' file, from the target device.

Remediation

It is recommended to strengthen access controls for the Web Administration Module, allowing only local or whitelisted access. Additionally, enabling log audits to monitor access records and file download operations can help identify and respond to abnormal requests.