Western Digital Arkeia lang Cookie Local File Inclusion

This script is Copyright (C) 2014 Tenable Network Security, Inc.


Synopsis :

The remote web server hosts a PHP script that is affected by a local
file inclusion vulnerability.

Description :

The remote Western Digital Arkeia device hosts a PHP script that is
affected by a local file inclusion vulnerability. A remote,
unauthenticated attacker can exploit this issue to read or execute
arbitrary files by crafting a request with directory traversal
sequences in the 'lang' cookie.

Note that the application is also reportedly affected by a remote file
upload arbitrary code execution vulnerability
however, Nessus has not
tested for this issue.

See also :

http://www.nessus.org/u?236dbbe5

Solution :

Upgrade to version 10.1.9 or later.

Risk factor :

Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVSS Temporal Score : 4.1
(CVSS2#E:F/RL:OF/RC:ND)
Public Exploit Available : true

Family: CGI abuses

Nessus Plugin ID: 74220 ()

Bugtraq ID: 62444

CVE ID: