!! 3 Cross-site-scripting issues !!
-
- Getting the hang of things
- Posts: 85
- Joined: Fri Mar 28, 2008 1:44 am
!! 3 Cross-site-scripting issues !!
Hello QNAP-Staff,
there is a heavy XSS issue with your photostation.
Please contact me for details.
greetings
there is a heavy XSS issue with your photostation.
Please contact me for details.
greetings
Last edited by Patchington on Fri Dec 21, 2012 9:46 pm, edited 1 time in total.
- doktornotor
- Ask me anything
- Posts: 7472
- Joined: Tue Apr 24, 2012 5:44 am
Re: !! Cross-site-scripting issue !!
I'm gone from this forum till QNAP stop wasting volunteers' time. Get help from QNAP helpdesk instead.
Warning: offensive signature and materials damaging QNAP reputation follow:
QNAP's FW security issues
QNAP's hardware compatibility list madness
QNAP's new logo competition
Dear QNAP, kindly fire your clueless incompetent forum "admin" And while at it, don't forget the webmaster!
Warning: offensive signature and materials damaging QNAP reputation follow:
QNAP's FW security issues
QNAP's hardware compatibility list madness
QNAP's new logo competition
Dear QNAP, kindly fire your clueless incompetent forum "admin" And while at it, don't forget the webmaster!
-
- Experience counts
- Posts: 1543
- Joined: Tue Dec 18, 2012 9:29 am
- Contact:
Re: !! Cross-site-scripting issue !!
I've passed this on and hopefully it'll be looked into ASAP
-
- Getting the hang of things
- Posts: 85
- Joined: Fri Mar 28, 2008 1:44 am
Re: !! Cross-site-scripting issue !!
Thanks, got contact to QNAPJason. He has all information on this now.
Keep your good work up
Keep your good work up
- QNAPJason
- QNAP Staff
- Posts: 5398
- Joined: Thu May 21, 2009 2:14 pm
- Location: Taipei
Re: !! Cross-site-scripting issue !!
Hi Patchington,
Thank you for the example via PM.
We have just fixed the issue here and will provide the fix in the next update.
Thank you for the example via PM.
We have just fixed the issue here and will provide the fix in the next update.
-
- Getting the hang of things
- Posts: 85
- Joined: Fri Mar 28, 2008 1:44 am
Re: !! Cross-site-scripting issue !!
Another XSS vuln found! This time it is within your tvstation....
You see i don't have extensively time to check all that applications,
but i am able to 'stumble' across this, what would the bad guys do? Just sayin....
greetings
[EDIT]
Sent you an example for a hexed xss-attack
How long until the scheduled update?
[EDIT-2]
Another XSS: this time...VideoStation... -> see PM
You see i don't have extensively time to check all that applications,
but i am able to 'stumble' across this, what would the bad guys do? Just sayin....
greetings
[EDIT]
Sent you an example for a hexed xss-attack
How long until the scheduled update?
[EDIT-2]
Another XSS: this time...VideoStation... -> see PM
-
- Getting the hang of things
- Posts: 85
- Joined: Fri Mar 28, 2008 1:44 am
Re: !! 3 Cross-site-scripting issues !!
2 / 3 Vulns are now listed on www.cert.at upcoming report to securityfocus.com
- QNAPJason
- QNAP Staff
- Posts: 5398
- Joined: Thu May 21, 2009 2:14 pm
- Location: Taipei
Re: !! 3 Cross-site-scripting issues !!
Hi
we just fixed the TV station issue and will issue new QPKG for it.
For Video Station, can we give more detailed example?
thank u
have a nice weekend!
jason
we just fixed the TV station issue and will issue new QPKG for it.
For Video Station, can we give more detailed example?
thank u
have a nice weekend!
jason
-
- Getting the hang of things
- Posts: 85
- Joined: Fri Mar 28, 2008 1:44 am
Re: !! 3 Cross-site-scripting issues !!
You got PM with request/ response-output related to your videostation.
-
- Getting the hang of things
- Posts: 64
- Joined: Fri Apr 02, 2010 5:54 pm
- Location: Stuttgart
Re: !! 3 Cross-site-scripting issues !!
ah, so maybe i dont want to upgrade form 3.8.0 to 3.8.1?
dont want to get even more rabbit holes in my two qnaps....
how about QNAP would do offer a detailed CHANGELOG for the F***G updates?
nothing to be found about 3.8.1 with google
dont want to get even more rabbit holes in my two qnaps....
how about QNAP would do offer a detailed CHANGELOG for the F***G updates?
nothing to be found about 3.8.1 with google
Running a TS410 and a TS659pro. Right now (2012/12/15) I would gladly exchange them to any other similar system not produced by QNAP. Most of the QNAP frontends are just so CRAPPY as if a trainee did the development.
-
- Been there, done that
- Posts: 615
- Joined: Sun Jul 12, 2009 1:23 pm
Re: !! 3 Cross-site-scripting issues !!
The vulnerabilities referenced are in the QPKGs, not the base firmware. Don't install/enable the QPKG, no vulnerability, but no functionality.
Has nothing to do with 3.8.0 to 3.8.1.
Also, qnap posts a summary of changes of each firmware version in the appropriate forum sections. They also provide the same summary in the "notes' section of the download website.
It would be nice to get more details, I agree, but at least high-level items are provided, which is rather comparable to other vendors who make similar NAS products, so while I'm sure you can request it, I would doubt much change here, unless other companies provide more detail, not much of an incentive for QNAP to, but it sounds like QNAP will at least consider more comprehensive summaries in the future (per a post from QNAPLars).
---
Has nothing to do with 3.8.0 to 3.8.1.
Also, qnap posts a summary of changes of each firmware version in the appropriate forum sections. They also provide the same summary in the "notes' section of the download website.
It would be nice to get more details, I agree, but at least high-level items are provided, which is rather comparable to other vendors who make similar NAS products, so while I'm sure you can request it, I would doubt much change here, unless other companies provide more detail, not much of an incentive for QNAP to, but it sounds like QNAP will at least consider more comprehensive summaries in the future (per a post from QNAPLars).
---
-
- Getting the hang of things
- Posts: 64
- Joined: Fri Apr 02, 2010 5:54 pm
- Location: Stuttgart
Re: !! 3 Cross-site-scripting issues !!
nice to know that only QPKGs is the problem.
all i use from qnap is QPKGs to run virtualbox. no other services are started exept for the administration web UI and there fore the apache server.
so im just ready to get F**KED, if anybody finds a way into my DMZ
nice.
all i use from qnap is QPKGs to run virtualbox. no other services are started exept for the administration web UI and there fore the apache server.
so im just ready to get F**KED, if anybody finds a way into my DMZ
nice.
Running a TS410 and a TS659pro. Right now (2012/12/15) I would gladly exchange them to any other similar system not produced by QNAP. Most of the QNAP frontends are just so CRAPPY as if a trainee did the development.
- schumaku
- Guru
- Posts: 43578
- Joined: Mon Jan 21, 2008 4:41 pm
- Location: Kloten (Zurich), Switzerland -- Skype: schumaku
- Contact:
Re: !! 3 Cross-site-scripting issues !!
The scope is very clear in the thread here - the suspect Station are clearly listed.mannebk wrote:nice to know that only QPKGs is the problem.
Not the first and not the last XSS issue in Web applications. Running VirtualBox wont help anything here.
There is only one secure option to ensure this: Disconnect your appliances and computer(s) from the Internet. And no - brining Apache and MySQL to the latest status won't change much, too.mannebk wrote:so im just ready to get F**KED, if anybody finds a way into my DMZ
These NAS are becoming giant complex systems - even the best QA will not help here. Except you are willing to wait for updates a very long time