This Metasploit module exploits a file upload vulnerability found in Western Digital’s MyCloud NAS web administration HTTP service. The /web/jquery/uploader/multi_uploadify.php PHP script provides multipart upload functionality that is accessible without authentication and can be used to place a file anywhere on the device’s file system. This allows an attacker the ability to upload a PHP shell onto the device and obtain arbitrary code execution as root.
Source: Western Digital MyCloud multi_uploadify File Upload
The post Western Digital MyCloud multi_uploadify File Upload appeared first on MondoUnix.