../ advisories/
An OS command injection vulnerability exists in the web interface of mobro-raspberrypi. It allows an unauthenticated attacker to execute arbitrary OS commands on the host, with the privileges of the web server.
mobros-raspberrypi v12.3 and older
/api/log/index.php?lines=0 /dev/null;uptime;ls
The output of the uptime
command is shown in the HTTP response.
An unsanitized GET parameter is passed to shell_exec()
at api/log/index.php:8.
An unauthenticated user is able to execute arbitrary OS commands by including semicolons in the lines
parameter to terminate the intended command.
Ensure that $_GET['lines']
is numeric, as is already done in the syslog component.