[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Linksys E2500 and E1200 (Unauth Command Injection)

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Linksys E2500 and E1200 (Unauth Command Injection)
From: samhuntley84@xxxxxxxxx
Date: Sun, 14 Aug 2016 21:42:27 GMT

Linksys E2500 and E1200 suffer from missing command injection issue in parental 
control parameters. This allows an attacker to change the control the device 
remotely.

Combining the attack of no authorization control, it allows an attacker to 
actually execute unauthenticated command injection attack and thus control the 
entire device.

More info at:
http://www.samuelhuntley.com/?p=141
http://www.samuelhuntley.com/?p=135

Initial disclosure date: 04/12/16
Fixed date as per Linksys contact: 7/4/16
Linksys contact: Benjamin Samuels,  Calvin Clark (security@xxxxxxxxxxx)

Prev by Date: Linksys E1200 and E2500 (Missing authorization on parental control)
Next by Date: Reflected Cross Site Scripting (XSS) Vulnerability in nopcommerce 3.70
Previous by thread: Linksys E1200 and E2500 (Missing authorization on parental control)
Next by thread: Reflected Cross Site Scripting (XSS) Vulnerability in nopcommerce 3.70
Index(es):
- Date
- Thread