Western Digital MyCloud multi_uploadify File Upload
Posted by deepcore on December 16, 2017 – 2:02 am
This Metasploit module exploits a file upload vulnerability found in Western Digital’s MyCloud NAS web administration HTTP service. The /web/jquery/uploader/multi_uploadify.php PHP script provides multipart upload functionality that is accessible without authentication and can be used to place a file anywhere on the device’s file system. This allows an attacker the ability to upload a PHP shell onto the device and obtain arbitrary code execution as root.
Post a reply
You must be logged in to post a comment.