Description
A design flaw was discovered in SABnzbd that could allow remote code execution. Manipulating the Parameters setting in the Notification Script functionality allows code execution with the privileges of the SABnzbd process.
The vulnerability was discovered and disclosed by @mullerdavid.
Impact
Exploiting the vulnerabilities requires access to the web interface. Remote exploitation is possible if users exposed their setup to the internet or other untrusted networks without setting a username/password. By default SABnzbd is only accessible from localhost, with no authentication required for the web interface.
Patches
Patched in e3a722 and 422b4f. These were released as part of SABnzbd 4.0.2.
Workarounds
Set a username and password to prevent unauthorized access to the web interface and/or update to a fixed version.
For more information
If you have any questions or comments about this advisory you can open an issue or a discussion in our GitHub repository
mullerdavid Reporter
Description
A design flaw was discovered in SABnzbd that could allow remote code execution. Manipulating the Parameters setting in the Notification Script functionality allows code execution with the privileges of the SABnzbd process.
The vulnerability was discovered and disclosed by @mullerdavid.
Impact
Exploiting the vulnerabilities requires access to the web interface. Remote exploitation is possible if users exposed their setup to the internet or other untrusted networks without setting a username/password. By default SABnzbd is only accessible from
localhost, with no authentication required for the web interface.Patches
Patched in e3a722 and 422b4f. These were released as part of SABnzbd 4.0.2.
Workarounds
Set a username and password to prevent unauthorized access to the web interface and/or update to a fixed version.
For more information
If you have any questions or comments about this advisory you can open an issue or a discussion in our GitHub repository