Bugtraq mailing list archives
Synology Video Station command injection and multiple SQL injection vulnerabilities
From: "Securify B.V." <lists () securify nl>
Date: Wed, 9 Sep 2015 20:15:53 +0200
------------------------------------------------------------------------ Synology Video Station command injection and multiple SQL injection vulnerabilities ------------------------------------------------------------------------ Han Sahin, September 2015 ------------------------------------------------------------------------ Abstract ------------------------------------------------------------------------ It was discovered that Synology Video Station is vulnerable to command injection that allows an attacker to execute arbitrary system commands with root privileges. In addition, Video Station is affected by multiple SQL injection vulnerabilities that allows for execution of arbitrary SQL statements with DBA privileges. As a result it is possible to compromise the PostgreSQL database server. ------------------------------------------------------------------------ Affected versions ------------------------------------------------------------------------ These issues affect Synology Video Station version up to and including version 1.5-0757. ------------------------------------------------------------------------ Fix ------------------------------------------------------------------------ Synology has reported that these issue have been resolved in: - Video Station version 1.5-0757 [audiotrack.cgi] - Video Station version 1.5-0763 [watchstatus.cgi] - Video Station version 1.5-0763 [subtitle.cgi] ------------------------------------------------------------------------ Details ------------------------------------------------------------------------https://www.securify.nl/advisory/SFY20150810/synology_video_station_command_injection_and_multiple_sql_injection_vulnerabilities.html
Current thread:
- Synology Video Station command injection and multiple SQL injection vulnerabilities Securify B.V. (Sep 09)