../ advisories/

Security advisory

Multiple command injection vulnerabilities exist in openWB version 1.7 and older. Each allows an unauthenticated user to execute arbitrary OS commands on the host. In the default configuration of openWB, commands can be executed with root privileges.

Affected products

Steps to reproduce

  1. Visit http://target/openWB/modules/soc_eq/callback_lp.php?code=1&state=;uptime>/tmp/hax;echo
  2. Observe that the file /tmp/hax has been created on the server, containing the output of uptime.


Unsanitized user input is passed to system() at callback_lp.php:4, callback_lp1.php:4 and callback_lp2.php:4.


An unauthorized user is able to execute arbitrary OS commands.

In the default openWB configuration, the www-data user is given unconstrained sudo access. For this reason, any command can trivially be executed with root privileges.

Proposed Mitigation

Sanitize the user input using a function such as escapeshellargs() before passing it to system().