Exploit for Unraid webGui remote code execution CVE-2020-5847 CVE-2020-5849

Name: Exploit for Unraid webGui remote code execution CVE-2020-5847 CVE-2020-5849
Rating: 5 (118 reviews)

2020-04-30 | CVSS 10.0

## https://sploitus.com/exploit?id=SAINT:74C0293BF5130A596F2DA5BDCEF8CDFC
Added: 04/30/2020  
CVE: CVE-2020-5847  


### Background

Unraid is a network-attached storage operating system. It runs a web-based graphical user interface (webGui) written in PHP. 

### Problem

The Unraid webGui uses the PHP `**extract**` function to load all GET parameters into the application as variables, allowing a remote user to control any program variable, leading to command execution. 

### Resolution

Upgrade to Unraid 6.8.1 or higher. 

### References

https://sysdream.com/news/lab/2020-02-06-cve-2020-5847-cve-2020-5849-unraid-6-8-0-unauthenticated-remote-code-execution-as-root/