Sony BRAVIA Digital Signage 1.7.8 System API Information Disclosure

What is the "Sony BRAVIA Digital Signage 1.7.8 System API Information Disclosure?"

The "Sony BRAVIA Digital Signage 1.7.8 System API Information Disclosure" module is designed to detect a vulnerability in the Sony BRAVIA Digital Signage system. This vulnerability allows an unauthenticated attacker to access sensitive information by visiting certain API endpoints on the device. The severity of this vulnerability is classified as low.

This module was authored by geeknik.

Impact

If exploited, this vulnerability can result in the disclosure of sensitive information running on the Sony BRAVIA Digital Signage system. This information can include details about the contents server, network interfaces, server time, and host IP.

How the module works?

The module works by sending a GET request to the "/api/system" endpoint on the Sony BRAVIA Digital Signage system. It then applies several matching conditions to determine if the vulnerability is present.

The matching conditions include:

- The response body must contain the following words: "contentsServer", "networkInterfaces", "serverTime", and "hostIp". - The response headers must include either "text/plain" or "application/json". - The response status code must be 200.

If all of these conditions are met, the module reports the vulnerability.

Example HTTP request:

GET /api/system

For more information about this vulnerability, you can refer to the following references:

- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5610.php - ...