EzAdsPro "BlackBox" Application Advisory
This vulnerability was discovered by Nik Stinson.
The following document describes identified vulnerabilities in the EzAdsPro “BlackBox” application.
Product Vendor
EzAdsPro
Product Description
EzAdsPro “BlackBox” is set of advertisement tools across various mediums. The project’s official website is https://www.ezadspro.com/.
Vulnerabilities List
One vulnerability was identified within the EzAdsPro application:
- Sensitive Information Disclosure
This vulnerability is described in the following sections.
Affected Version
EzAdsPro “BlackBox” application
Summary of Findings
Installations of EzAdsPro applications allowed directory listing and access to all documents within /feeds/ , /sms/, and most subdirectories within /blackbox/.
Impact
Files within these directories contained PII and credentials that could be used to further compromise the underlying system.
Solution
The affected EzAdsPro hosted software has been updated on the backend, no user action should be necessary.
Vulnerabilities
Sensitive Information disclosure – Directory Browsing
Directory browsing was enabled within the /feeds/, /sms/, and most directories within the /blackbox/ directory in the EzAdsPro “BlackBox” application. Files exposed within these directories contained sensitive PII and credentials that could be used to further compromise the underlying system.
Vulnerability Details
Vulnerability Type: Sensitive Information Disclosure
Access Vector: ☒ Remote, ☐ Local, ☐ Physical, ☐ Context dependent, ☐ Other (if other, please specify)
Impact: ☐ Code execution, ☒ Denial of service, ☐ Escalation of privileges, ☒ Information disclosure, ☐ Other (if other, please specify)
Security Risk: ☐ Critical, ☒ High, ☐ Medium, ☐ Low
Vulnerability: CWE-200
When directory indexing is enabled on a web server or as part of a software suite, any user can browse through the contents of publicly accessible directories. This often reveals sensitive information that would otherwise be difficult to identify, and under certain circumstances, these files may also be executable.
The following directories were found to be exposed and are believed to be exposed on every EzAdsPro “Blackbox” installation:
/feeds/ /sms/ Almost all directories under: /blackbox/
The directories were reviewed for files containing sensitive information and several files containing customer PII, underlying system file paths and directories, and in some cases, hardcoded credentials were identified.
Timeline
- 06/02/2022: Initial discovery
- 10/27/2022: Contact with vendor
- 10/27/2022: Vulnerability submitted to vendor
- 1/4/2023: Reached out for vendor for confirmation of remediation (no response)
- 1/18/2023: Reached out to vendor for confirmation of remediation
- 1/18/2023: Confirmation of remediation received
- 1/25/2023: Vulnerabilities publicly disclosed
Subscribe to Bishop Fox's Security Blog
Be first to learn about latest tools, advisories, and findings.
Thank You! You have been subscribed.
