SOUND4 Impact/Pulse/First/Eco <=2.x - Information Disclosure

What is the "SOUND4 Impact/Pulse/First/Eco <=2.x - Information Disclosure?" module?

The "SOUND4 Impact/Pulse/First/Eco <=2.x - Information Disclosure" module is designed to detect a vulnerability in the SOUND4 software versions Impact, Pulse, First, and Eco up to version 2.x. This module focuses on identifying instances of sensitive directory indexing or information disclosure. The severity of this vulnerability is classified as medium.

This module was authored by arafatansari.

Impact

An unauthenticated attacker can exploit this vulnerability to gain access to the log directory of the targeted server. By accessing the log files, the attacker can obtain sensitive information and system details, potentially leading to further exploitation or unauthorized access.

How does the module work?

The module utilizes HTTP request templates and matching conditions to identify instances of the vulnerability. It sends a GET request to the "/log/" path and checks for specific response conditions. The matching conditions include:

- The presence of the "" and "Parent Directory" keywords in the response body. - A response status code of 200.

If both conditions are met, the module flags the vulnerability as detected.

It is important to note that the module does not disclose the actual JSON definitions used but focuses on the technical aspects of the vulnerability detection process.

Example HTTP request:

GET /log/ HTTP/1.1
Host: [target_host]

The module's matching conditions ensure that the response contains the expected keywords and a successful status code, indicating the presence of the vulnerability.

For more information, you can refer to the PacketStorm website.