CVE-2013-6987
published 2013-12-31CVE-2013-6987: Multiple directory traversal vulnerabilities in the FileBrowser components in Synology DiskStation Manager (DSM) before 4.3-3810 Update 3 allow remote…
PriorityP358high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
14.89%
96.3th percentile
Multiple directory traversal vulnerabilities in the FileBrowser components in Synology DiskStation Manager (DSM) before 4.3-3810 Update 3 allow remote attackers to read, write, and delete arbitrary files via a .. (dot dot) in the (1) path parameter to file_delete.cgi or (2) folder_path parameter to file_share.cgi in webapi/FileStation/; (3) dlink parameter to fbdownload/; or unspecified parameters to (4) html5_upload.cgi, (5) file_download.cgi, (6) file_sharing.cgi, (7) file_MVCP.cgi, or (8) file_rename.cgi in webapi/FileStation/.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| synology | diskstation_manager | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect directory traversal attempts (dot-dot sequences) in POST body parameters 'path', 'folder_path', and 'dlink' targeting Synology FileStation CGI endpoints. ↗
- →Monitor for POST requests to /webapi/FileStation/*.cgi and /fbdownload/ containing '../' or '..%2F' sequences in request parameters, particularly 'folder_path', 'path', and 'dlink'. ↗
- →Look for the custom header 'X-SYNO-TOKEN' in requests to FileStation CGI endpoints combined with traversal patterns, indicating authenticated exploitation attempts. ↗
- →Flag requests where 'folder_path' or 'path' parameters resolve outside expected share directories (e.g., traversal to /etc/passwd or /tmp). ↗
- ·The exploit targets Synology DSM on port 5000 (default HTTP port); detections should be scoped to this non-standard port if the default configuration is in use. ↗
- ·Exploitation requires a valid session (X-SYNO-TOKEN and session cookie), meaning the attacker must be authenticated or have obtained a valid session token prior to exploitation. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/124563http://seclists.org/fulldisclosure/2013/Dec/177http://www.exploit-db.com/exploits/30475http://www.securityfocus.com/bid/64483http://www.synology.com/en-us/releaseNote/model/DS114https://exchange.xforce.ibmcloud.com/vulnerabilities/89892http://packetstormsecurity.com/files/124563http://seclists.org/fulldisclosure/2013/Dec/177http://www.exploit-db.com/exploits/30475http://www.securityfocus.com/bid/64483http://www.synology.com/en-us/releaseNote/model/DS114https://exchange.xforce.ibmcloud.com/vulnerabilities/89892
2013-12-31
Published