Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ------------------------------------------------------------------------
- Synology Video Station command injection and multiple SQL injection
- vulnerabilities
- ------------------------------------------------------------------------
- Han Sahin, September 2015
- ------------------------------------------------------------------------
- Abstract
- ------------------------------------------------------------------------
- It was discovered that Synology Video Station is vulnerable to command
- injection that allows an attacker to execute arbitrary system commands
- with root privileges. In addition, Video Station is affected by multiple
- SQL injection vulnerabilities that allows for execution of arbitrary SQL
- statements with DBA privileges. As a result it is possible to compromise
- the PostgreSQL database server.
- ------------------------------------------------------------------------
- Affected versions
- ------------------------------------------------------------------------
- These issues affect Synology Video Station version up to and including
- version 1.5-0757.
- ------------------------------------------------------------------------
- Fix
- ------------------------------------------------------------------------
- Synology has reported that these issue have been resolved in:
- - Video Station version 1.5-0757 [audiotrack.cgi]
- - Video Station version 1.5-0763 [watchstatus.cgi]
- - Video Station version 1.5-0763 [subtitle.cgi]
- ------------------------------------------------------------------------
- Details
- ------------------------------------------------------------------------
- https://www.securify.nl/advisory/SFY20150810/synology_video_station_command_injection_and_multiple_sql_injection_vulnerabilities.html
- _______________________________________________
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement