Project

General

Profile

Bug #6474

Updated by Jim Pingle over 7 years ago

Command injection is possible using the id parameter on pkg_mgr_install.php 

 <pre> 
 http://ip/pkg_mgr_install.php?id=firmware`/path/to/some/command` 
 </pre> http://<ip>/pkg_mgr_install.php?id=firmware`/path/to/some/command` 

 Renato fixed it yesterday, adding this for tracking purposes.

Back