Full Disclosure mailing list archives

By Date By Thread Synology Video Station command injection and multiple SQL injection vulnerabilities From: "Securify B.V." <lists () securify nl>

Date: Wed, 9 Sep 2015 20:15:35 +0200

------------------------------------------------------------------------ Synology Video Station command injection and multiple SQL injection vulnerabilities ------------------------------------------------------------------------ Han Sahin, September 2015 ------------------------------------------------------------------------ Abstract ------------------------------------------------------------------------ It was discovered that Synology Video Station is vulnerable to command injection that allows an attacker to execute arbitrary system commands with root privileges. In addition, Video Station is affected by multiple SQL injection vulnerabilities that allows for execution of arbitrary SQL statements with DBA privileges. As a result it is possible to compromise the PostgreSQL database server. ------------------------------------------------------------------------ Affected versions ------------------------------------------------------------------------ These issues affect Synology Video Station version up to and including version 1.5-0757. ------------------------------------------------------------------------ Fix ------------------------------------------------------------------------ Synology has reported that these issue have been resolved in: - Video Station version 1.5-0757 [audiotrack.cgi] - Video Station version 1.5-0763 [watchstatus.cgi] - Video Station version 1.5-0763 [subtitle.cgi] ------------------------------------------------------------------------ Details ------------------------------------------------------------------------ https://www.securify.nl/advisory/SFY20150810/synology_video_station_command_injection_and_multiple_sql_injection_vulnerabilities.html _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/ By Date By Thread Current thread: Synology Video Station command injection and multiple SQL injection vulnerabilities Securify B.V. (Sep 09)