### Critical Vulnerability Information #### 1. Arbitrary Command Execution (#0x00) - **Description**: Authenticated users can remotely execute arbitrary commands by injecting commands into the `device` parameter. - **Impact**: The `openfiler` user belongs to the `wheel` group and can use `sudo /bin/bash` without a password. - **Exploitation Method**: In the file `/opt/openfiler/var/www/htmls/admin/system.html`, data controlled by the `device` parameter is used to create a new `NetworkCard` object. The constructor of this object, defined in `network.src`, calls `exec()`. #### 2. Information Disclosure (#0x01) - **Description**: Sensitive information is accessible without authentication. - **Exploitation Method**: - `https://:446/phpldapadmin.php` - `https://:446/phpmyadmin.php` #### 3. Credential Disclosure (#0x02) - **Description**: Credentials for authenticated users are stored in plaintext within `usercookie` and `passcookie` cookies, and these cookies do not have the `HttpOnly` flag set. - **Exploitation Method**: Attackers can steal these cookies to obtain usernames and passwords. #### 4. Cross-Site Request Forgery (#0x03) - **Description**: Authenticated users may be vulnerable to cross-site request forgery attacks. - **Exploitation Method**: - Stop service: `https://:446/admin/services.html?service=&action=stop` - Start service: `https://:446/admin/services.html?service=&action=start` #### 5. Reflected Cross-Site Scripting (#0x04) - **Description**: Authenticated users may be vulnerable to reflected cross-site scripting attacks. - **Exploitation Method**: - `https://:446/admin/system.html?cmd=alert(document.cookie)` ``` This summary outlines multiple security vulnerabilities present in Openfiler v2.x, along with their respective exploitation methods.