[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ale] [Fwd: [FD] Western Digital My Cloud vulnerable to multiple command injection vulnerabilities]

Subject: [ale] [Fwd: [FD] Western Digital My Cloud vulnerable to multiple command injection vulnerabilities]
From: agcarver+ale at acarver.net (Alex Carver)
Date: Tue, 7 Mar 2017 08:57:50 -0800
In-reply-to: <1928427077.255664.1488904781855.JavaMail.zimbra@outpostsentinel.com>
References: <[email protected]> <1928427077.255664.1488904781855.JavaMail.zimbra@outpostsentinel.com>

On 2017-03-07 08:39, Chris Fowler wrote:
> PHP on the device eh?  I would assume they should be expecting to fix hacks 
> every week.....
> 

It's not PHP itself, it's WD's poor scripting.  Any language would have
been vulnerable given what they did in the example snippets provided.
They simply didn't bother to sanitize any inputs and passed them on to
the popen() and system() calls.

References:
- [ale] [Fwd: [FD] Western Digital My Cloud vulnerable to multiple command injection vulnerabilities]
  - From: joey at joeykelly.net (Joey Kelly)
- [ale] [Fwd: [FD] Western Digital My Cloud vulnerable to multiple command injection vulnerabilities]
  - From: cfowler at outpostsentinel.com (Chris Fowler)

Prev by Date: [ale] [Fwd: [FD] Western Digital My Cloud vulnerable to multiple command injection vulnerabilities]
Next by Date: [ale] [Fwd: [FD] Western Digital My Cloud vulnerable to multiple command injection vulnerabilities]
Previous by thread: [ale] [Fwd: [FD] Western Digital My Cloud vulnerable to multiple command injection vulnerabilities]
Next by thread: [ale] [Fwd: [FD] Western Digital My Cloud vulnerable to multiple command injection vulnerabilities]
Index(es):
- Date
- Thread