[ale] [Fwd: [FD] Western Digital My Cloud vulnerable to multiple command injection vulnerabilities]
Alex Carver
agcarver+ale at acarver.net
Tue Mar 7 11:57:50 EST 2017
On 2017-03-07 08:39, Chris Fowler wrote:
> PHP on the device eh? I would assume they should be expecting to fix hacks
> every week.....
>
It's not PHP itself, it's WD's poor scripting. Any language would have
been vulnerable given what they did in the example snippets provided.
They simply didn't bother to sanitize any inputs and passed them on to
the popen() and system() calls.
More information about the Ale
mailing list