!! 3 Cross-site-scripting issues !!

[Patchington]

Hello QNAP-Staff,

there is a heavy XSS issue with your photostation.
Please contact me for details.


greetings

[doktornotor]

Please contact me for details.

QNAP Customer Service.

[LarsN]

I've passed this on and hopefully it'll be looked into ASAP

[Patchington]

Thanks, got contact to QNAPJason. He has all information on this now.

Keep your good work up

[QNAPJason]

Hi Patchington,
Thank you for the example via PM.
We have just fixed the issue here and will provide the fix in the next update.

[Patchington]

Another XSS vuln found! This time it is within your tvstation....

You see i don't have extensively time to check all that applications,
but i am able to 'stumble' across this, what would the bad guys do? Just sayin....

greetings

[EDIT]
Sent you an example for a hexed xss-attack
How long until the scheduled update?

[EDIT-2]
Another XSS: this time...VideoStation... -> see PM

[Patchington]

2 / 3 Vulns are now listed on www.cert.at upcoming report to securityfocus.com

[QNAPJason]

Hi
we just fixed the TV station issue and will issue new QPKG for it.
For Video Station, can we give more detailed example?

thank u

have a nice weekend!

jason

[Patchington]

You got PM with request/ response-output related to your videostation.

[mannebk]

ah, so maybe i dont want to upgrade form 3.8.0 to 3.8.1?

dont want to get even more rabbit holes in my two qnaps....

how about QNAP would do offer a detailed CHANGELOG for the F***G updates?

nothing to be found about 3.8.1 with google

[rinthos]

The vulnerabilities referenced are in the QPKGs, not the base firmware. Don't install/enable the QPKG, no vulnerability, but no functionality.
Has nothing to do with 3.8.0 to 3.8.1.
Also, qnap posts a summary of changes of each firmware version in the appropriate forum sections. They also provide the same summary in the "notes' section of the download website.

It would be nice to get more details, I agree, but at least high-level items are provided, which is rather comparable to other vendors who make similar NAS products, so while I'm sure you can request it, I would doubt much change here, unless other companies provide more detail, not much of an incentive for QNAP to, but it sounds like QNAP will at least consider more comprehensive summaries in the future (per a post from QNAPLars).

---

[mannebk]

nice to know that only QPKGs is the problem.

all i use from qnap is QPKGs to run virtualbox. no other services are started exept for the administration web UI and there fore the apache server.

so im just ready to get F**KED, if anybody finds a way into my DMZ

nice.

[schumaku]

nice to know that only QPKGs is the problem.

The scope is very clear in the thread here - the suspect Station are clearly listed.

Not the first and not the last XSS issue in Web applications. Running VirtualBox wont help anything here.

so im just ready to get F**KED, if anybody finds a way into my DMZ

There is only one secure option to ensure this: Disconnect your appliances and computer(s) from the Internet. And no - brining Apache and MySQL to the latest status won't change much, too.

These NAS are becoming giant complex systems - even the best QA will not help here. Except you are willing to wait for updates a very long time