!! 3 Cross-site-scripting issues !!

Please post your questions about using the web-based Photo, Music, Video Stations here.
Post Reply
Patchington
Getting the hang of things
Posts: 84
Joined: Fri Mar 28, 2008 1:44 am
Location: behind you

!! 3 Cross-site-scripting issues !!

Post by Patchington » Tue Dec 18, 2012 10:09 pm

Hello QNAP-Staff,

there is a heavy XSS issue with your photostation.
Please contact me for details.


greetings
Last edited by Patchington on Fri Dec 21, 2012 9:46 pm, edited 1 time in total.

User avatar
doktornotor
Ask me anything
Posts: 7521
Joined: Tue Apr 24, 2012 5:44 am

Re: !! Cross-site-scripting issue !!

Post by doktornotor » Tue Dec 18, 2012 11:41 pm

Patchington wrote:Please contact me for details.


:lol: :lol: :lol:

QNAP Customer Service.
I'm gone from this forum till QNAP stop wasting volunteers' time. Get help from QNAP helpdesk instead.
Warning: offensive signature and materials damaging QNAP reputation follow:
QNAP's FW security issues
QNAP's hardware compatibility list madness
QNAP's new logo competition
Dear QNAP, kindly fire your clueless incompetent forum "admin" And while at it, don't forget the webmaster!

LarsN
Experience counts
Posts: 1545
Joined: Tue Dec 18, 2012 9:29 am
Contact:

Re: !! Cross-site-scripting issue !!

Post by LarsN » Wed Dec 19, 2012 9:28 am

I've passed this on and hopefully it'll be looked into ASAP

Patchington
Getting the hang of things
Posts: 84
Joined: Fri Mar 28, 2008 1:44 am
Location: behind you

Re: !! Cross-site-scripting issue !!

Post by Patchington » Wed Dec 19, 2012 4:45 pm

Thanks, got contact to QNAPJason. He has all information on this now.

Keep your good work up :!:

User avatar
QNAPJason
QNAP Staff
Posts: 5393
Joined: Thu May 21, 2009 2:14 pm
Location: Taipei

Re: !! Cross-site-scripting issue !!

Post by QNAPJason » Thu Dec 20, 2012 10:24 am

Hi Patchington,
Thank you for the example via PM.
We have just fixed the issue here and will provide the fix in the next update.

Patchington
Getting the hang of things
Posts: 84
Joined: Fri Mar 28, 2008 1:44 am
Location: behind you

Re: !! Cross-site-scripting issue !!

Post by Patchington » Thu Dec 20, 2012 3:40 pm

Another XSS vuln found! This time it is within your tvstation....

You see i don't have extensively time to check all that applications,
but i am able to 'stumble' across this, what would the bad guys do? Just sayin....

greetings

[EDIT]
Sent you an example for a hexed xss-attack
How long until the scheduled update?

[EDIT-2]
Another XSS: this time...VideoStation... -> see PM

Patchington
Getting the hang of things
Posts: 84
Joined: Fri Mar 28, 2008 1:44 am
Location: behind you

Re: !! 3 Cross-site-scripting issues !!

Post by Patchington » Sat Dec 22, 2012 5:44 am

2 / 3 Vulns are now listed on www.cert.at upcoming report to securityfocus.com

User avatar
QNAPJason
QNAP Staff
Posts: 5393
Joined: Thu May 21, 2009 2:14 pm
Location: Taipei

Re: !! 3 Cross-site-scripting issues !!

Post by QNAPJason » Sat Dec 22, 2012 2:55 pm

Hi
we just fixed the TV station issue and will issue new QPKG for it.
For Video Station, can we give more detailed example?

thank u

have a nice weekend!

jason

Patchington
Getting the hang of things
Posts: 84
Joined: Fri Mar 28, 2008 1:44 am
Location: behind you

Re: !! 3 Cross-site-scripting issues !!

Post by Patchington » Sat Dec 22, 2012 5:26 pm

You got PM with request/ response-output related to your videostation.

mannebk
Getting the hang of things
Posts: 64
Joined: Fri Apr 02, 2010 5:54 pm
Location: Stuttgart

Re: !! 3 Cross-site-scripting issues !!

Post by mannebk » Sun Dec 23, 2012 7:12 am

ah, so maybe i dont want to upgrade form 3.8.0 to 3.8.1?

dont want to get even more rabbit holes in my two qnaps....

how about QNAP would do offer a detailed CHANGELOG for the F***G updates?

nothing to be found about 3.8.1 with google
Running a TS410 and a TS659pro. Right now (2012/12/15) I would gladly exchange them to any other similar system not produced by QNAP. Most of the QNAP frontends are just so CRAPPY as if a trainee did the development.

rinthos
Been there, done that
Posts: 608
Joined: Sun Jul 12, 2009 1:23 pm

Re: !! 3 Cross-site-scripting issues !!

Post by rinthos » Sun Dec 23, 2012 9:57 am

The vulnerabilities referenced are in the QPKGs, not the base firmware. Don't install/enable the QPKG, no vulnerability, but no functionality.
Has nothing to do with 3.8.0 to 3.8.1.
Also, qnap posts a summary of changes of each firmware version in the appropriate forum sections. They also provide the same summary in the "notes' section of the download website.

It would be nice to get more details, I agree, but at least high-level items are provided, which is rather comparable to other vendors who make similar NAS products, so while I'm sure you can request it, I would doubt much change here, unless other companies provide more detail, not much of an incentive for QNAP to, but it sounds like QNAP will at least consider more comprehensive summaries in the future (per a post from QNAPLars).

---

mannebk
Getting the hang of things
Posts: 64
Joined: Fri Apr 02, 2010 5:54 pm
Location: Stuttgart

Re: !! 3 Cross-site-scripting issues !!

Post by mannebk » Sun Dec 23, 2012 6:26 pm

nice to know that only QPKGs is the problem.

all i use from qnap is QPKGs to run virtualbox. no other services are started exept for the administration web UI and there fore the apache server.

so im just ready to get F**KED, if anybody finds a way into my DMZ

nice.
Running a TS410 and a TS659pro. Right now (2012/12/15) I would gladly exchange them to any other similar system not produced by QNAP. Most of the QNAP frontends are just so CRAPPY as if a trainee did the development.

User avatar
schumaku
Guru
Posts: 43673
Joined: Mon Jan 21, 2008 4:41 pm
Location: Kloten (Zurich), Switzerland -- Skype: schumaku
Contact:

Re: !! 3 Cross-site-scripting issues !!

Post by schumaku » Sun Dec 23, 2012 10:35 pm

mannebk wrote:nice to know that only QPKGs is the problem.
The scope is very clear in the thread here - the suspect Station are clearly listed.

Not the first and not the last XSS issue in Web applications. Running VirtualBox wont help anything here.

mannebk wrote:so im just ready to get F**KED, if anybody finds a way into my DMZ
There is only one secure option to ensure this: Disconnect your appliances and computer(s) from the Internet. And no - brining Apache and MySQL to the latest status won't change much, too.

These NAS are becoming giant complex systems - even the best QA will not help here. Except you are willing to wait for updates a very long time

Post Reply

Return to “Photo Station, Music Station, Video Station”