../ advisories/

Security advisory

An OS command injection vulnerability exists in the web interface of mobro-raspberrypi. It allows an unauthenticated attacker to execute arbitrary OS commands on the host, with the privileges of the web server.

Affected products

mobros-raspberrypi v12.3 and older

Steps to reproduce

  1. Visit /api/log/index.php?lines=0 /dev/null;uptime;ls

The output of the uptime command is shown in the HTTP response.

Cause

An unsanitized GET parameter is passed to shell_exec() at api/log/index.php:8.

Impact

An unauthenticated user is able to execute arbitrary OS commands by including semicolons in the lines parameter to terminate the intended command.

Proposed Mitigation

Ensure that $_GET['lines'] is numeric, as is already done in the syslog component.

History