Planet WGR-500 OS Command Injection Vulnerability
Vulnerability
A command injection vulnerability has been identified in the Planet WGR-500 router, specifically in version 1.3411b190912. The issue arises within the 'formPingCmd' function, where the 'ipaddr' and 'counts' request parameters are not properly validated. This lack of validation allows attackers to send crafted HTTP requests that execute arbitrary commands on the router. The vulnerability is related to improper neutralization of special elements used in OS commands, commonly known as OS command injection.
Impact
Exploitation of this vulnerability allows for arbitrary command execution on the affected device.
Reproduction
To reproduce this vulnerability, send a series of HTTP requests to the Planet WGR-500 router's 'formPingCmd' function. Include crafted 'ipaddr' and 'counts' parameters that exploit the lack of input validation. The router will execute the injected commands with system privileges, leading to unauthorized command execution.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.