Skip to content
View in the app

A better way to browse. Learn more.

Unraid

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

Unauthenticated users can execute arbitrary code as root

Featured Replies

I think i've found a way for an unauthenticated user execute any arbitrary code as root (including modifying system files, change or reset permissions etc.). Is this the correct place to detail this? Does limetech have a bug bounty program?

I think i've found a way for an unauthenticated user execute any arbitrary code as root (including modifying system files, change or reset permissions etc.). Is this the correct place to detail this? Does limetech have a bug bounty program?

 

Yes we have a 'todo' item to close this loophole (if it's what I think you found).  Please send me an email: [email protected]

 

We don't have a 'bounty' system in place but we have talked about implementing this for features - if we did it for bugs we'd probably go broke in a week  :o

  • Author

shame  :P

 

i've sent you a note, Tom.

  • 1 month later...

I think i've found a way for an unauthenticated user execute any arbitrary code as root (including modifying system files, change or reset permissions etc.). Is this the correct place to detail this? Does limetech have a bug bounty program?

 

Yes we have a 'todo' item to close this loophole (if it's what I think you found).  Please send me an email: [email protected]

 

We don't have a 'bounty' system in place but we have talked about implementing this for features - if we did it for bugs we'd probably go broke in a week  :o

 

So has this been closed then Tom?

Are we going to disclose the details of this? Thats the typical conclusion to this type of report.

One could simply issue a http post or http get to emhttp and execute arbitrary code. If you look at the thread Important Update for Plugin Authors for Unraid 6.1 it contains the details needed. I think it was in the Update page.

 

The solution was to go with a jailed-like environment so only commands under emhttp root are able to be executed.

Archived

This topic is now archived and is closed to further replies.

Account

Navigation

Search

Search

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.