Understand how Red Teaming can be your ultimate strategic "Sanity Check" Register now ›

Gauge showing high severity reading for a security advisory for EzAdsPro “BlackBox” application.

Share

EzAdsPro "BlackBox" Application Advisory

This vulnerability was discovered by Nik Stinson.

The following document describes identified vulnerabilities in the EzAdsPro “BlackBox” application.

Product Vendor

EzAdsPro

Product Description

EzAdsPro “BlackBox” is set of advertisement tools across various mediums. The project’s official website is https://www.ezadspro.com/.

Vulnerabilities List

One vulnerability was identified within the EzAdsPro application:

  • Sensitive Information Disclosure

This vulnerability is described in the following sections.

Affected Version

EzAdsPro “BlackBox” application

Summary of Findings

Installations of EzAdsPro applications allowed directory listing and access to all documents within /feeds/ , /sms/, and most subdirectories within /blackbox/.

Impact

Files within these directories contained PII and credentials that could be used to further compromise the underlying system.

Solution

The affected EzAdsPro hosted software has been updated on the backend, no user action should be necessary.


Vulnerabilities

Sensitive Information disclosure – Directory Browsing

Directory browsing was enabled within the /feeds/, /sms/, and most directories within the /blackbox/ directory in the EzAdsPro “BlackBox” application. Files exposed within these directories contained sensitive PII and credentials that could be used to further compromise the underlying system.

Vulnerability Details

Vulnerability Type: Sensitive Information Disclosure

Access Vector: ☒ Remote, ☐ Local, ☐ Physical, ☐ Context dependent, ☐ Other (if other, please specify)

Impact: ☐ Code execution, ☒ Denial of service, ☐ Escalation of privileges, ☒ Information disclosure, ☐ Other (if other, please specify)

Security Risk: ☐ Critical, ☒ High, ☐ Medium, ☐ Low

Vulnerability: CWE-200

When directory indexing is enabled on a web server or as part of a software suite, any user can browse through the contents of publicly accessible directories. This often reveals sensitive information that would otherwise be difficult to identify, and under certain circumstances, these files may also be executable.

The following directories were found to be exposed and are believed to be exposed on every EzAdsPro “Blackbox” installation:


/feeds/
/sms/
Almost all directories under:
/blackbox/


The directories were reviewed for files containing sensitive information and several files containing customer PII, underlying system file paths and directories, and in some cases, hardcoded credentials were identified.

Timeline

  • 06/02/2022: Initial discovery
  • 10/27/2022: Contact with vendor
  • 10/27/2022: Vulnerability submitted to vendor
  • 1/4/2023: Reached out for vendor for confirmation of remediation (no response)
  • 1/18/2023: Reached out to vendor for confirmation of remediation
  • 1/18/2023: Confirmation of remediation received
  • 1/25/2023: Vulnerabilities publicly disclosed

Subscribe to Bishop Fox's Security Blog

Be first to learn about latest tools, advisories, and findings.


Dan Petro Headshot

About the author, Dan Petro

Lead Researcher at Bishop Fox

Dan Petro is a Lead Researcher at Bishop Fox and focuses on application penetration testing (static and dynamic), product security reviews, network penetration testing (external and internal), and cryptographic analysis. Dan has presented at several Black Hats and DEF CONs on topics such as hacking smart safes, hijacking Google Chromecasts, and weaponizing AI. He has developed several open-source tools including Untwister, which breaks pseudorandom number generators. Additionally, Dan has been quoted in Wired, The Guardian, Business Insider, and Mashable. Dan holds both a Bachelor of Science and a Master of Science in Computer Science from Arizona State University.
More by Dan

This site uses cookies to provide you with a great user experience. By continuing to use our website, you consent to the use of cookies. To find out more about the cookies we use, please see our Privacy Policy.