Creacast Creabox Manager Information Disclosure Vulnerability

An information disclosure vulnerability has been identified in Creacast Creabox Manager version 4.4.4. The issue arises from a publicly accessible endpoint, '/get', which exposes sensitive internal configuration data. This includes the 'creacodec.lua' file, containing plaintext admin credentials. The vulnerability allows unauthorized users to access confidential information that could be exploited for unauthorized access or control over the application.

Impact

Exploitation of this vulnerability leads to the disclosure of plaintext admin credentials, allowing unauthorized access to the device and streaming infrastructure. This could result in a takeover of audio or video streams or full administrative control over the application.

Reproduction

The vulnerability can be reproduced by sending a GET request to the '/get' endpoint. This can be done manually using a tool like curl, which will return the internal configuration data, including plaintext admin credentials. Alternatively, a script can be used to automate the extraction of these credentials from the response.

Remediation

To address this vulnerability, access to the '/get' endpoint should be restricted using authentication. Hardcoded credentials and sensitive configuration data should not be exposed through public endpoints. Instead, this information should be stored server-side, with user-facing outputs sanitized and limited. As a temporary measure, external access to the '/get' endpoint can be blocked using firewall or reverse proxy rules, and monitoring can be implemented for suspicious access attempts.