kirth
New Member
Posts: 23
|
Post by kirth on Feb 25, 2008 2:46:47 GMT 7
Just to let you know a few days ago an exploit for the N5200Pro has gone "public". It's a Remote File Inclusion. Here it is: www.milw0rm.com/ Exploit id is 5150. Thecus N5200Pro NAS Server Control Panel RFI Vulnerability
|
|
|
Post by danielz on Feb 26, 2008 16:14:30 GMT 7
The Expolit are fixed in version 2.00.04 (http://www.thecus.eu/en/89/)
//Daniel
|
|
|
Post by fajo on Feb 26, 2008 17:06:47 GMT 7
The release notes refer to other (more critical) vulnerabilities - the remote file inclusion should still be possible in 2.00.04 as long as allow_url_fopen is enabled (the default) in /etc/httpd/conf/php.ini.
If the SSHD module is installed you may disable this PHP feature and the exploit will no longer show any effect.
/Falk
|
|
|
Post by marty on Feb 27, 2008 12:22:13 GMT 7
Hi,
What kind of security vulnerability are we at risk? Could you give us an example? Thanks
Marty
|
|
|
Post by fajo on Feb 27, 2008 14:36:19 GMT 7
|
|
|
Post by fajo on Jan 8, 2009 5:32:59 GMT 7
I made a update available for download that will set allow_url_fopen to off in php.ini. To download the the update and MD5 checksum follow the links below: www.fajo.de/thecus/N5200_N5200pro_1U4500_N7700_N8800_FIX_KKM-79873.bin www.fajo.de/thecus/N5200_N5200pro_1U4500_N7700_N8800_FIX_KKM-79873.bin.md5 The update has been tested on 'N5200pro' and can be applied on the following models running ANY FW version (the update reports version 99.99.99): - N5200
- N5200pro
- 1U4500
- N7700
- N8800
The update process will report 'success' if either of the following applies: - allow_url_fopen was not set to on
- php.ini modified successfully
An 'error' is reported if either of the following applies: - php.ini was not found
- the process was not able to update php.ini
After applying the update a reboot is required so httpd gets restarted. /Falk
|
|
|
Post by gideon007 on Jan 10, 2009 0:22:36 GMT 7
Is this to be applied like a module or like a firmware update? Thanks for bothering with this.
|
|
|
Post by peterfu on Jan 10, 2009 1:52:45 GMT 7
As FW Upgrade br Peter
|
|