BW Broadcast Transmitter Session Hijacking Vulnerability

A session hijacking vulnerability exists in the BW Broadcast Transmitter Management System, specifically in the TX600, TX300, TX150, TX1000, TX30, and TX50 models. This vulnerability arises from incorrect access control that allows log files to be accessed over HTTP without authentication. These logs contain sensitive session identifiers related to successful remote logins, which attackers can extract and use to gain unauthorized access to the system, potentially leading to administrative compromise.

Impact

Exploitation of this vulnerability allows unauthorized access to the system through extracted session identifiers, enabling session hijacking and possible administrative rights compromise.

Reproduction

The vulnerability can be reproduced by accessing the exposed log files over HTTP. The logs can be found in the root directory or within a 'log' subdirectory, depending on the version. No authentication is required to access these files, which contain session identifiers that can be used for session hijacking.

Remediation

To address this vulnerability, BW Broadcast should implement access controls to restrict log file access to authorized users only. Public access to log files should be disabled, and sensitive data such as session identifiers should be redacted before logging. Additionally, a security review could help identify other potential exposure points, and monitoring for unauthorized log access attempts could provide an extra layer of security.