|
Post by fajo on Aug 19, 2009 20:03:29 GMT 7
Today I opened 3 new vulnerability tickets with Thecus on the N0204 (FW 1.x). I was able to identify at least 3 scripts that are part of the WebUI that allow remote file or system access to the NAS without proper authorization/authentiation. - LWD-156431 - Remote unauthorized privileged file access in /img/htdocs/adm/usbcopy.php
- LNX-132567 - Remote unauthorized privileged access in /img/htdocs/adm/login.html
- BDL-155821 - Remote unauthorized privileged access in /img/htdocs/adm/usblusage.php
Beside these 3 new vulnerabilities an existing one (KKM-798736 - RFI vulnerability in usr/usrgetform.html) applies to this model too. I recommend to not allow remote access (http/https) to the NAS from untrusted networks (e.g. Internet).I do not expect these to be fixed within the next couple of months (if ever) - KKM-798736 has been opened on Feb 26th 2008 and affects most models and has not been fixed yet .... /Falk
|
|
|
Post by regiscruzbr on Nov 30, 2009 11:01:00 GMT 7
Hi fajo I was very excited when I read the specifications of the N0204 and I was ready to buy 3 units when I decided go to Thercus website to read more details about N0204. I found your post and this information you said made me very worried. So do you know if they resolved this problem or it still on the device? Thanks
|
|