search menu icon-carat-right cmu-wordmark

CERT Coordination Center

NAS4Free version contains a remote command execution vulnerability

Vulnerability Note VU#326830

Original Release Date: 2013-10-30 | Last Revised: 2013-10-30


NAS4Free version and possibly earlier versions contain a remote code execution vulnerability (CWE-94).


CWE-94: Improper Control of Generation of Code ('Code Injection')

NAS4Free version and possibly earlier versions contain a remote code execution vulnerability. NAS4Free allows an authenticated user to post PHP code to an HTTP script and have the code executed remotely. By default, NAS4Free runs with root privileges. A remotely authenticated attacker can send an HTTP POST request that contains a malicious PHP file which can cause the script to run directly on the machine.

For more details, please see Tod Beardsley's Rapid7 blog post.


A remote authenticated attacker may be able to execute arbitrary code as root on the system.


We are currently unaware of a practical solution to this problem.

Vendor Information

Affected   Unknown   Unaffected


Notified:  October 08, 2013 Updated:  October 28, 2013



Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

CVSS Metrics

Group Score Vector
Base 6.0 AV:N/AC:M/Au:S/C:P/I:P/A:P
Temporal 5.1 E:POC/RL:U/RC:UR
Environmental 1.3 CDP:ND/TD:L/CR:ND/IR:ND/AR:ND



Thanks to Tod Beardsley and Brandon Perry of Rapid7, Inc. for reporting this vulnerability.

This document was written by Adam Rauf.

Other Information

CVE IDs: CVE-2013-3631
Date Public: 2013-10-30
Date First Published: 2013-10-30
Date Last Updated: 2013-10-30 17:13 UTC
Document Revision: 28

Sponsored by CISA.