17 Jun 2012 17:15
QNAP Turbo NAS Multiple Vulnerabilities - Security Advisory
Lists <lists <at> senseofsecurity.com>
2012-06-17 15:15:44 GMT
2012-06-17 15:15:44 GMT
Sense of Security - Security Advisory - SOS-12-006
Release Date. 13-Jun-2012
Last Update. -
Vendor Notification Date. 12-Mar-2012
Product. QNAP
Platform. Turbo NAS (verified) and possibly others
Affected versions. Firmware Version: 3.6.1 Build 0302T and prior
Severity Rating. High
Impact. Exposure of sensitive information
Exposure of system information
Privilege escalation
System access
Attack Vector. Remote with authentication
Solution Status. Currently no software update;
vendor has elected not to fix at this time
CVE reference. CVE - not yet assigned
Details.
QNAP provide NAS technology solutions to consumers and enterprises.
Multiple vulnerabilities have been identified in the web management
interface.
1. Command Injection:
The QNAP Download Station (QDownload) is vulnerable to command injection
as the application executes user-controllable data that is processed by
a shell command interpreter.
The following resources, accessible post authentication are affected:
/cgi-bin/Qdownload/DS_RSS_Option.cgi [keyword parameter]
(Continue reading)
RSS Feed