[Security] CVE-2017-9807 - OpenWebIf Vulnerability

Started by WanWizard, 24 Jun 2017 10:38

security OpenWebIf

This topic is locked

4 replies to this topic

#1 WanWizard

Forum Moderator
PLi® Core member
47,168 posts

+784

Excellent

Posted 24 June 2017 - 10:38

Attention

With the CVE number mentioned above a serious vulnerability in relation to the OpenWebIf has been reported. See https://cve.mitre.or...e=CVE-2017-9807 for details.

The vulnerability makes it possible to create, overwrite or change arbitrary files using a specially formulated web request. Every Enigma2 version with an installed OpenWebIf is impacted.

For those who still have their box open, connected to the internet without the use of a VPN: Please switch this off immediately, before your box is hacked!!!

The OpenWebIf team is working very hard to find a solution for this problem.

Currently in use: VU+Duo 4K (2xFBC S2), Amiko Viper T2C (T2), SAB Alpha Triple HD (S2+T2), Zgemma H3.T2C (T/C), Zgemma H6 (fallback), VU+Zero (fallback)

Many answers to your question can be found in our new and improved wiki.

note: I do not provide support via PM !

Re: [Security] CVE-2017-9807 - OpenWebIf Vulnerability #2 Dream1975

Senior Member
1,602 posts

+14

Neutral

Posted 24 June 2017 - 12:43

If the box is somewhere else, but you can reach it through Putty, you can use "opkg remove enigma2-plugin-extensions-openwebif" to (temporary) remove Openwebif

Edited by Dream1975, 24 June 2017 - 12:43.

Mutant HD2400, OpenPLi RC, 2x DVB-C & 2x DVB-S

Mutant HD51, OpenPLi RC, 1x DVB-C & 1x DVB-S

Wavefrontier T55 (Astra 1,2,3 en HB)

Smartcards Ziggo (Irdeto) and CDS (Seca) on Oscam

Re: [Security] CVE-2017-9807 - OpenWebIf Vulnerability #3 theparasol

Senior Member
4,141 posts

+196

Excellent

Posted 24 June 2017 - 15:28

Fix has been committed https://github.com/E...24fb8d7dd610f46

Re: [Security] CVE-2017-9807 - OpenWebIf Vulnerability #4 WanWizard

Forum Moderator
PLi® Core member
47,168 posts

+784

Excellent

Posted 24 June 2017 - 15:46

Will be part of tomorrows images.

Currently in use: VU+Duo 4K (2xFBC S2), Amiko Viper T2C (T2), SAB Alpha Triple HD (S2+T2), Zgemma H3.T2C (T/C), Zgemma H6 (fallback), VU+Zero (fallback)

Many answers to your question can be found in our new and improved wiki.

note: I do not provide support via PM !

Re: [Security] CVE-2017-9807 - OpenWebIf Vulnerability #5 WanWizard

Forum Moderator
PLi® Core member
47,168 posts

+784

Excellent

Posted 25 June 2017 - 11:02

Topic can be closed.

Thanks to Jörg Bleyel for the quick fix for this issue!

Currently in use: VU+Duo 4K (2xFBC S2), Amiko Viper T2C (T2), SAB Alpha Triple HD (S2+T2), Zgemma H3.T2C (T/C), Zgemma H6 (fallback), VU+Zero (fallback)

Many answers to your question can be found in our new and improved wiki.

note: I do not provide support via PM !

Back to [EN] Enduser support

Also tagged with one or more of these keywords: security, OpenWebIf

Update OpenWebif to latest version Started by joepie, 9 Feb 2019 openwebif	2 replies 576 views	s3n0 14 Feb 2019
Package signatures and download security Started by David85, 29 Oct 2018 security, opkg, https	10 replies 557 views	Erik Slagter 30 Oct 2018
Transcoding icon not showing Started by casperse, 17 Mar 2018 Openwebif	2 replies 731 views	casperse 18 Mar 2018
OpenWebIf and streaming access through VPN Started by JasonM8, 19 Nov 2017 VPN, OpenWebIF	12 replies 2,632 views	Pippin 20 Nov 2017
Openwebif key authentication instead of http auth Started by pistacio, 29 Mar 2017 openwebif	Hot 14 replies 3,276 views	malakudi 5 Apr 2017