Sielco PolyEco is affected by an information disclosure vulnerability due to improper access control enforcement. An unauthenticated remote attacker can exploit this, via a specially crafted request to gain access to sensitive information.
The application interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions and manipulate the RDS text display.
PolyEco is the innovative family of high-end digital FM transmitters of Sielco. They are especially suited as high performance power system exciters or compact low-mid power transmitters. The same cabinet may in fact be fitted with 50, 100, 300, 500, 1000W power stage (PolyEco50, 100, 300, 500, 1000). All features can be controlled via the large touch-screen display 4.3" or remotely. Many advanced features are inside by default in the basic version such as: stereo and RDS encoder, audio change-over, remote-control via LAN and SNMP, "FFT" spectral analysis of the audio sources, SFN synchronization and much more. Improper access control occurs when the application provides direct access to objects based on user-supplied input. As a result of this vulnerability attackers can bypass authorization and access resources behind protected pages.
The application suffers from an authentication bypass and account takeover/lockout vulnerability that can be triggered by directly calling the users object and effectively modifying the password of the two constants user/role (user/admin). This can be exploited by an unauthenticated adversary by issuing a single POST request to the vulnerable endpoint and gain unauthorized access to the affected device with administrative privileges.
The application suffers from a privilege escalation vulnerability. A user with Read permissions can elevate his/her privileges by sending a HTTP POST request setting the parameter 'auth1' or 'auth2' or 'auth3' to integer value '1' for Write or '2' for Admin permissions.
The application suffers from improper access control when editing users. A user with Read permissions can manipulate users, passwords and permissions by sending a single HTTP POST request with modified parameters and edit other users' names, passwords and permissions including admin password.
The Cookie session ID 'id' is of an insufficient length and can be exploited by brute force, which may allow a remote attacker to obtain a valid session, bypass authentication and manipulate the transmitter.
The already authenticated attacker can send a normal request to change his password and then he can use the same JSON object and the vulnerable API token KEY in the same request to change the admin account password. Then he can access the admin account and he can do very malicious stuff.
The Webview2 development platform is vulnerable to Spoofing attacks. The attacker can build a very malicious web app and spread it to the victim's networks. and when they open it this can be the last web app opening for them.
The application does not sanitize the 'img' parameter when sending data to '/classes/SystemSettings.php?f=update_settings'. An attacker can exploit this issue by uploading a PHP file and accessing it, leading to Remote Code Execution.
Services By CQR