I'm again here with a Synology DSM vulnerability.
I found a lot of directory traversal in the FileBrowser components.
This kind of vulnerability allows any authenticated user, even if not administrative, to access, create, delete, modify system and configuration files.
The only countermeasure implemented against this vulnerability is the check that the path starts with a valid shared folder, so is enough to put the "../" straight after, to bypass the security check.
Vulnerables CGIs:
- /webapi/FileStation/html5_upload.cgi
- /webapi/FileStation/file_delete.cgi
- /webapi/FileStation/file_download.cgi
- /webapi/FileStation/file_sharing.cgi
- /webapi/FileStation/file_share.cgi
- /webapi/FileStation/file_MVCP.cgi
- /webapi/FileStation/file_rename.cgi
Not tested all the CGI, but I guess that many others are vulnerable, so don't take my list as comprehensive.
Version affected: <= 4.3-3810
More info here: http://www.andreafabrizi.it/?exploits:dsm_2
3 comments:
Thank you for this work. I hope Synology will start locking down their devices a bit better, I'm too worried to use it to it's full potential. Did you find anything else interesting?
I digged this for more news from you. allungamento ciglia
Orla James create and provide diamond rings, necklaces, diamond earrings and wedding rings. sistemi di gestione viterbo
Post a Comment