Synology DiskStation Manager 'imageSelector.cgi' Remote Command Execution Vulnerability Network Vulnerability

Summary

Synology DiskStation Manager is prone to a remote command-execution vulnerability.

Impact

An attacker can exploit this issue to execute arbitrary commands with root privileges.

Solution

Updates are available.

Insight

Synology DiskStation Manager (DSM) contains a flaw in the SliceUpload functionality provided by /webman/imageSelector.cgi. With a specially crafted request, a remote attacker can append data to files, allowing for the execution of arbitrary commands.

Affected

Synology DiskStation Manager 4.x are vulnerable other versions may also be affected.

Detection

This script tries to execute the 'id' command on the remote host using specially crafted requests.

References

http://www.securityfocus.com/bid/64516

Updated on 2015-03-25

Severity

Classification

CVE CVE-2013-6955

CVSS	Base Score: 10.0 AV:N/AC:L/Au:N/C:C/I:C/A:C

Related Vulnerabilities

Apache Struts ClassLoader Manipulation Vulnerabilities
AlienVault OSSIM Multiple Remote Code Execution Vulnerabilities
Alchemy Eye HTTP Command Execution
ASP-Dev XM Event Diary Multiple Vulnerabilities
Apache Tomcat Windows Installer Privilege Escalation Vulnerability

Take action and discover your vulnerabilities