/cgi-bin/wapopen in Boa 0.94.14rc21 allows the injection of "../.." using the FILECAMERA variable (sent by GET) to read files with root privileges. NOTE: multiple third parties report that this is a system-integrator issue (e.g., a vulnerability on one type of camera) because Boa does not include any wapopen program or any code to read a FILECAMERA variable.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
boa boa 0.94.14.21 |
Topics Security Off-Prem On-Prem Software Offbeat Vendor Voice Vendor Voice Resources Flaws in the open-source tool exploited – and India's power grid was a target
Microsoft is warning that systems using the long-discontinued Boa web server could be at risk of attacks after a series of intrusion attempts of power grid operations in India likely included exploiting security flaws in the technology. Researchers with Microsoft's Security Threat Intelligence unit examined an April report from cybersecurity company Recorded Future about the intrusion efforts into India's power grid dating back to 2020 and, more recently, into a national emergency response syste...