| Title | FLIR-AX8 palette.php command execution vulnerability |
|---|
| Description | FLIR AX8 web services have an unauthorized remote code execution vulnerability that allows an attacker to obtain device privileges and execute arbitrary commands with root privileges.
Vulnerability Affected Version:
Firmware version <= v1.46.16
Web component version <= v1.0.7.20
In the www directory, the palette.php program receives a POST method request, if there is a palette parameter, the program will concatenate the value of the palette with LD_LIBRARY_PATH=/FLIR/usr/lib /FLIR/usr/bin/palette, if the palette contains a command truncator, it will cause command injection. |
|---|
| Source | ⚠️ https://github.com/siriuswhiter/VulnHub/blob/main/Flir/02-FLIR-AX8%20palette.php%20%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E/FLIR-AX8%20palette.php%20%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E1.md |
|---|
| User | ireading (ID 36553) |
|---|
| Submission | 12/08/2022 14:18 (1 Year ago) |
|---|
| Moderation | 12/08/2022 15:45 (1 hour later) |
|---|
| Status | Accepted |
|---|
| VulDB Entry | 215118 |
|---|