Western Digital Arkeia lang Cookie Crafted Local File Inclusion

This script is Copyright (C) 2014 Tenable Network Security, Inc.


Synopsis :

The remote web server hosts a PHP script that is affected by a local
file inclusion vulnerability.

Description :

The remote Western Digital Arkeia device hosts a PHP script that is
affected by a local file inclusion vulnerability. A remote,
unauthenticated attacker can exploit this issue to read or execute
arbitrary files by crafting a request with directory traversal
sequences in the 'lang' cookie.

See also :

http://www.nessus.org/u?67b88cb2
http://wiki.arkeia.com/index.php/Path_Traversal_Remote_Code_Execution
http://www.nessus.org/u?97c1883b

Solution :

Upgrade to version 10.2.9 or later.

Risk factor :

Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVSS Temporal Score : 4.3
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : true

Family: CGI abuses

Nessus Plugin ID: 74221 ()

Bugtraq ID: 67039

CVE ID: CVE-2014-2846