vendor:
InfraPower Manager PPS-02-S
by:
Gjoko 'LiquidWorm' Krstic
9,8
CVSS
HIGH
Unauthenticated Remote Root Command Execution
78
CWE
Product Name: InfraPower Manager PPS-02-S
Affected Version From: Q213V1 (Firmware: V2395S)
Affected Version To: Q216V3 (Firmware: IPD-02-FW-v03)
Patch Exists: YES
Related CWE: N/A
CPE: a:austin_hughes_electronics_ltd:infrapower_manager_pps-02-s
Metasploit:
N/A
Other Scripts:
N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References:
N/A
Nuclei Metadata: N/A
Platforms Tested: Linux 2.6.28 (armv5tel), lighttpd/1.4.30-devel-1321, PHP/5.3.9, SQLite/3.7.10
2016
InfraPower PPS-02-S Q213V1 Unauthenticated Remote Root Command Execution
InfraPower suffers from multiple unauthenticated remote command injection vulnerabilities. The vulnerability exist due to several POST parameters in several scripts not being sanitized when using the exec(), proc_open(), popen() and shell_exec() PHP function while updating the settings on the affected device. This allows the attacker to execute arbitrary system commands as the root user and bypass access controls in place.
Mitigation:
Upgrade to the latest version of InfraPower Manager PPS-02-S
