Monday, 27 March 2017

Another IOT fail: Miele dishwasher has web server bug. Yes you did read that right!



Don't say you weren't warned: Miele went full Internet-of-Things with a dishwasher, gave it a web server and now finds itself on the wrong end of a bug report and it's accused of ignoring.

The utterly predictable bug report at Full Disclosure details CVE-2017-7240, “Miele Professional PG 8528 - Web Server Directory Traversal”.

“The corresponding embedded Web server 'PST10 WebServer' typically listens to port 80 and is prone to a directory traversal attack, therefore an unauthenticated attacker may be able to exploit this issue to access sensitive information to aide in subsequent attacks.”

Directory traversal attacks let miscreants access directories other than those needed by a web server. And once they're in those directories, it's party time because they can insert their own code and tell the web server to execute it.