I'm again here with a Synology DSM vulnerability.
I found a lot of directory traversal in the FileBrowser components.
This kind of vulnerability allows any authenticated user, even if not administrative, to access, create, delete, modify system and configuration files.
The only countermeasure implemented against this vulnerability is the check that the path starts with a valid shared folder, so is enough to put the "../" straight after, to bypass the security check.
Vulnerables CGIs:
- /webapi/FileStation/html5_upload.cgi
- /webapi/FileStation/file_delete.cgi
- /webapi/FileStation/file_download.cgi
- /webapi/FileStation/file_sharing.cgi
- /webapi/FileStation/file_share.cgi
- /webapi/FileStation/file_MVCP.cgi
- /webapi/FileStation/file_rename.cgi
Not tested all the CGI, but I guess that many others are vulnerable, so don't take my list as comprehensive.
Version affected: <= 4.3-3810
More info here: http://www.andreafabrizi.it/?exploits:dsm_2
