An OS command injection vulnerability exists in the web interface of mobro-raspberrypi. It allows an unauthenticated attacker to execute arbitrary OS commands on the host, with the privileges of the web server.
mobros-raspberrypi v12.3 and older
The output of the
uptime command is shown in the HTTP response.
An unsanitized GET parameter is passed to
shell_exec() at api/log/index.php:8.
An unauthenticated user is able to execute arbitrary OS commands by including semicolons in the
lines parameter to terminate the intended command.
$_GET['lines'] is numeric, as is already done in the syslog component.