Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[m3rs4]

Thanks puterboy  for finding those issues involving security. I really think Dlink must patch those holes in the next firmware ASAP.  Whats the point of having a handful features such as NETWORK ACCESS LIST, USER or GROUP settings when a single http request can get around all that?

[hilaireg]

I'm going to assume the tests were done on f/w 1.05

I was able to reproduce the 'passwrd' vulnerability but was not able to reproduce the others mentioned in the post ... BTW: the 'passwrd' vulnerability doesn't appear to work on the DNS-343 f/w 1.02.

In order to assist D-Link, a steps-to-reproduce should be emailed to their support engineers - not posted on this forum.  This ensures that the knowledge on how to reproduce the vulnerability be provided to the engineers, QA testers for future f/w versions, and be kept as secret as possible to prevent it from being exploited by Trojans, Viruses, etc.  Additionally, wouldn't want the kiddies or guests staying over to stumble on this thread 

I don't typically store any confidential information on any NAS - it's simply not best security practice to do so.  I'll let 'Google' provide supporting White Papers.  Just don't confuse NAS with SAN

Additionally, I disable the options noted below to reduce the exposure:

- iTunes Server
- FTP Server
- UPnP

So at best, the only folks that can access the 'pulbic' data on the NAS are those on the private LAN or those who have been granted access over wireless.

Like others have posted, I prefer stable firmware releases over multiple releases - I've experienced many a f/w updates bricking a device to know that gradual roll-of f/w updates is the only way to go.

Cheers,

PS: Throw a Mac on your LAN and see how "secure" your LAN really is 

[fordem]

Thanks puterboy  for finding those issues involving security. I really think Dlink must patch those holes in the next firmware ASAP.

Actually - those "vulnerabilities" have been known about for many months, long before 'puterboy came along - it would be interesting to find out if he dsicovered them on his own, or if he learned about them, the same way I did -  from someone else.  Search this forum, if you want to know when they were first mentioned.

Whats the point of having a handful features such as NETWORK ACCESS LIST, USER or GROUP settings when a single http request can get around all that?

Let me put it this way - if you hadn't read 'puterboy's expose, would you have been able to craft the "single http request" required to get around it?

And before people misunderstand where I'm coming from (AGAIN) - even with this security hole, the level of security provided is adequate for the environment in which the device is intended to be used - look at the difference between 'puterboy's post and hilaireg's post - one is alarmist and the other realistic - sure anyone with access to your local LAN can get access, but, WHO has access to your local LAN becomes the question - and in a residential and environment, most people with access to the local LAN also have physical access - anyone who wants to get you data needs only to pickup the DNS-323 and walk out with it.

[mig]

Search this forum, if you want to know when they were first mentioned.

http://forums.dlink.com/index.php?topic=1820.0

[ECF]

This issue will be patched in firmware 1.06.