CVE-2017-9333

Name of the Vulnerable Software and Affected Versions OpenWebif version 1.2.5

Description The issue allows remote code execution via a URL to the CallOPKG function in the IpkgController class in plugin/controllers/ipkg.py. This occurs when the URL refers to an attacker-controlled web site with a Trojan horse package. The threat model is relevant in cases where untrusted users can trigger CallOPKG calls and enter an arbitrary URL in an input field intended for a package name. This may be relevant in the latest versions of third-party products that bundle OpenWebif, such as set-top box products.

Recommendations For OpenWebif version 1.2.5, consider restricting access to the CallOPKG function in the IpkgController class to prevent remote code execution via malicious URLs. As a temporary workaround, restrict the input field to only accept package names and prevent users from entering arbitrary URLs.