Posted by Kacper Szurek on Jan 24

# Exploit Title: WD My Cloud Mirror 2.11.153 RCE and Authentication Bypass
# Date: 24.01.2017
# Software Link: https://www.wdc.com
# Exploit Author: Kacper Szurek
# Contact: https://twitter.com/KacperSzurek
# Website: https://security.szurek.pl/
# Category: local

1. Description

It’s possible to execute arbitrary commands using login form because
`exec()` function is used without `escapeshellarg()`.

It’s possible to bypass login form…