Our OEM customers like QNAP, can use this option as it enables the local RPC calls and they can also implement their own secure Web config pages.Ī user is only vulnerable on a self-installed NAS system where users have no local browser available, but want to use our web config pages, and This works today on all our supported platforms including Win32 PC, MAC and Linux PC. Because of this, we've implemented a second setting called (enableweb) that allows a user to do the configuration of devices only from a localhost (by setting enableweb=1). TMS can have its own password protection to protect its own config pages. Therefore independent of any log or security failure, TMS CANNOT expose the root password of a QNAP NAS. This is impossible because TMS does not have access to the root password of a NAS. This problem can be mitigated by blocking all remote requests for port 9000 and by NOT port forwarding port 9000 from the internet but this will prevent you from managing the server remotely and still does not protect you against "intranetwork" penetration attempts through your local LAN. In fact, if someone knows your ip address or domain name, they can call the same URL and view your log containing your server master password. It dies not require authentication to access. The link each of us uses to view the log, located within the Twonkymedia administration interface is a simple RPC (remote procedure call) to the server requesting the log. Disabling the logging does not fix the problem because Twonky continues to log standard events. At the end of each handshake, the logs openly reveal the admin username and password in an unencrypted format. The Twonky Media server (included with most QNAP devices) logs the activity of the server as it indexes media and communicates with connecting devices. I discovered a security vulnerability in the media server logs of Twonkymedia that exposes the root password for your NAS to the Internet.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |