Vulnerability Note VU#326830
NAS4Free version 18.104.22.168 contains a remote command execution vulnerability
NAS4Free version 22.214.171.124.804 and possibly earlier versions contain a remote code execution vulnerability (CWE-94).
CWE-94: Improper Control of Generation of Code ('Code Injection')
NAS4Free version 126.96.36.199.804 and possibly earlier versions contain a remote code execution vulnerability. NAS4Free allows an authenticated user to post PHP code to an HTTP script and have the code executed remotely. By default, NAS4Free runs with root privileges. A remotely authenticated attacker can send an HTTP POST request that contains a malicious PHP file which can cause the script to run directly on the machine.
A remote authenticated attacker may be able to execute arbitrary code as root on the system.
We are currently unaware of a practical solution to this problem.
Vendor Information (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|NAS4Free||Affected||08 Oct 2013||28 Oct 2013|
CVSS Metrics (Learn More)
Thanks to Tod Beardsley and Brandon Perry of Rapid7, Inc. for reporting this vulnerability.
This document was written by Adam Rauf.
- CVE IDs: CVE-2013-3631
- Date Public: 30 Oct 2013
- Date First Published: 30 Oct 2013
- Date Last Updated: 30 Oct 2013
- Document Revision: 28
If you have feedback, comments, or additional information about this vulnerability, please send us email.