Firefly iTunes security vulnerabilities

[veggiespam]

I updated to the 4.4.1 beta and see we are still using Firefly iTunes version svn-1696. This version is twelve years old. It has remotely exploitable unauthenticated security vulnerabilities. The URL in in the about page on my Qnap mentions original www.fireflymediaserver.org website which no longer loads and an apparent later maintainer purchased www.fireflymediaserver.net which is now for sale by some shady auction house. This maintainer recommends moving to https://github.com/ejurgensen/forked-daapd which is actually updated.

The security vulnerabilities in Firefly on the Qnap server have the possibly of instantly crashing the Firefly service and another will peg the CPU to 100%, possibly causing harm to the entire Qnap system. There are two additional vulnerabilities published by Mitre, CVE-2007-5825 & CVE-2007-5824, one of which is classified as "remote code execution" vulnerability. Basically, anyone on your network can do whatever they want to your device, possibly even wipe it; but the exploit code is less public. Here is how to exploit the two less severe problems which are readily discoverable on the first page of Google.

To crash the Firefly, do this:

nc {QnapServer} 3689
GET / HTTP/1.0
User-Agent: test
User-Agent: test
{hit enter twice}

And no more music in your house.

To run up the CPU and screw up your Qnap's speed, do this:

nc {QnapServer} 3689
GET / HTTP/1.0
{do nothing, leave window open}

Repeat this in multiple windows to run up the CPU.

These are four different attacks from 2007. They are very public. These were fixed. Can we also get this fix?

[dolbyman]

you need to let qnap know..we cant do anything about it