Description
A vulnerability was discovered in SABnzbd that could allow remote code execution. The isFAT() function in checkdir.py did not properly validate input, causing specially crafted Completed Download Folder settings to lead to code execution with the privileges of the SABnzbd process.
The vulnerability was discovered and disclosed by Michael Anastasakis. Further investigation by the SABnzbd Team revealed a similar issue with the Nice and IONice Parameters settings.
Impact
Exploiting the vulnerabilities requires access to the web interface. Remote exploitation is possible if users exposed their setup to the internet or other untrusted networks without setting a username/password. By default SABnzbd is only accessible from localhost, with no authentication required for the web interface.
Note: Windows is not affected, nor are setups (regardless of operating system) that have their Config pages locked down by the special config_lock option.
Patches
Patched in dfcba6e and 73d3f7b. These were released as part of SABnzbd 3.0.0.
Workarounds
Set a username and password to prevent unauthorized access to the web interface and/or update to a fixed version.
For more information
If you have any questions or comments about this advisory:
Description
A vulnerability was discovered in SABnzbd that could allow remote code execution. The
isFAT()function incheckdir.pydid not properly validate input, causing specially crafted Completed Download Folder settings to lead to code execution with the privileges of the SABnzbd process.The vulnerability was discovered and disclosed by Michael Anastasakis. Further investigation by the SABnzbd Team revealed a similar issue with the Nice and IONice Parameters settings.
Impact
Exploiting the vulnerabilities requires access to the web interface. Remote exploitation is possible if users exposed their setup to the internet or other untrusted networks without setting a username/password. By default SABnzbd is only accessible from
localhost, with no authentication required for the web interface.Note: Windows is not affected, nor are setups (regardless of operating system) that have their Config pages locked down by the special
config_lockoption.Patches
Patched in dfcba6e and 73d3f7b. These were released as part of SABnzbd 3.0.0.
Workarounds
Set a username and password to prevent unauthorized access to the web interface and/or update to a fixed version.
For more information
If you have any questions or comments about this advisory: