Jump to content


Photo

[Security] CVE-2017-9807 - OpenWebIf Vulnerability

security OpenWebIf

  • This topic is locked This topic is locked
4 replies to this topic

#1 WanWizard

  • Forum Moderator
    PLi® Core member
  • 47,168 posts

+784
Excellent

Posted 24 June 2017 - 10:38

Attention
 
With the CVE number mentioned above a serious vulnerability in relation to the OpenWebIf has been reported. See https://cve.mitre.or...e=CVE-2017-9807 for details.
 
The vulnerability makes it possible to create, overwrite or change arbitrary files using a specially formulated web request. Every Enigma2 version with an installed OpenWebIf is impacted.
 
For those who still have their box open, connected to the internet without the use of a VPN: Please switch this off immediately, before your box is hacked!!!
 
The OpenWebIf team is working very hard to find a solution for this problem.

Currently in use: VU+Duo 4K (2xFBC S2), Amiko Viper T2C (T2), SAB Alpha Triple HD (S2+T2), Zgemma H3.T2C (T/C), Zgemma H6 (fallback), VU+Zero (fallback)

Many answers to your question can be found in our new and improved wiki.

note: I do not provide support via PM !

 


Re: [Security] CVE-2017-9807 - OpenWebIf Vulnerability #2 Dream1975

  • Senior Member
  • 1,602 posts

+14
Neutral

Posted 24 June 2017 - 12:43

If the box is somewhere else, but you can reach it through Putty, you can use "opkg remove enigma2-plugin-extensions-openwebif" to (temporary) remove Openwebif


Edited by Dream1975, 24 June 2017 - 12:43.

Mutant HD2400, OpenPLi RC, 2x DVB-C & 2x DVB-S

Mutant HD51, OpenPLi RC, 1x DVB-C & 1x DVB-S

Wavefrontier T55 (Astra 1,2,3 en HB)

Smartcards Ziggo (Irdeto) and CDS (Seca) on Oscam

 


Re: [Security] CVE-2017-9807 - OpenWebIf Vulnerability #3 theparasol

  • Senior Member
  • 4,141 posts

+196
Excellent

Posted 24 June 2017 - 15:28

Fix has been committed https://github.com/E...24fb8d7dd610f46



Re: [Security] CVE-2017-9807 - OpenWebIf Vulnerability #4 WanWizard

  • Forum Moderator
    PLi® Core member
  • 47,168 posts

+784
Excellent

Posted 24 June 2017 - 15:46

Will be part of tomorrows images.


Currently in use: VU+Duo 4K (2xFBC S2), Amiko Viper T2C (T2), SAB Alpha Triple HD (S2+T2), Zgemma H3.T2C (T/C), Zgemma H6 (fallback), VU+Zero (fallback)

Many answers to your question can be found in our new and improved wiki.

note: I do not provide support via PM !

 


Re: [Security] CVE-2017-9807 - OpenWebIf Vulnerability #5 WanWizard

  • Forum Moderator
    PLi® Core member
  • 47,168 posts

+784
Excellent

Posted 25 June 2017 - 11:02

Topic can be closed.

 

Thanks to Jörg Bleyel for the quick fix for this issue!


Currently in use: VU+Duo 4K (2xFBC S2), Amiko Viper T2C (T2), SAB Alpha Triple HD (S2+T2), Zgemma H3.T2C (T/C), Zgemma H6 (fallback), VU+Zero (fallback)

Many answers to your question can be found in our new and improved wiki.

note: I do not provide support via PM !

 






Also tagged with one or more of these keywords: security, OpenWebIf

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users