D-Link Forums
The Graveyard - Products No Longer Supported => D-Link Storage => DNS-320L => Topic started by: FurryNutz on July 13, 2017, 06:24:35 AM
-
D-Link posted DNS-320L firmware version v1.10 B10, which can be downloaded here: DNS-320L (http://support.dlink.com/ProductInfo.aspx?m=DNS-320L).
07/12/2017
HW Versions Supported:
DNS-320L A1/A2/A3
DNS-320LW A1/A2
Problems Resolved:
Fixed Security vulnerability listed below:
• Fixed the SAMBA security issues. CVE-2017-7494 (https://nvd.nist.gov/vuln/detail/CVE-2017-7494)
• Fixed the login mydlink failure issue while the DNS server condition is abnormal.
Enhancements:
None
Known Issues:
None
Let us know how it works for you...
-
Is this a BETA version ?
-
Yes...will probably go full release.
-
Samba security fix - do you mean SambaCry?
-
Select the security link for more info on the CVE that was reported.
-
Hello, first of all forgive me for my bad English, my native language is Spanish, I am new to the forum, although for years I have a DNS320L.
I have decided to write to give my opinion, about something that still, I do not see all I have to do to update my system.
I think there are big security and security breaches, probocados for the programming language used for access to the administration system (web). The use of a language that works on the client side as well as in Javascript and making inquiries directly is sometimes very vulnerable, since from the other side of the client you can see the code, facilitating the detection of errors and, consequently, using manually (already happened before with the user registration error)
In my opinion I think you should migrate the system to another type of language such as php, working on the server side and not the client.
- For example, the password in the access system is encrypted in base64 easily reversible, if that information is captured, it would be as simple as decode64 and we would have the real entry key. I think it can be improved by implementing another type of encrypted hash SH2 - SH3.
Also reference to access, since the filtering of the form is through javascript, it is easily manipulated to log in with blocked accounts
var re = / root | anonymous | nobody | administrator | ftp | guest | squeezecenter | sshd | messagebus | netdev / i;
giving one more point of insecurity to our system, instead of filtering the user on the server side.
In short, this is only my opinion, and an example of something I can not find a solution for years ago, I just wanted the only thing I do is contribute my bit.
I hope I'm wrong and that it's just a confusion, thanks
-
just notice now that they released another update, version 1.10B03
-
New Build 03 available:
http://forums.dlink.com/index.php?topic=72768.0 (http://forums.dlink.com/index.php?topic=72768.0)
-
http://forums.dlink.com/index.php?topic=66969.0 (http://forums.dlink.com/index.php?topic=66969.0)
why the link to this forum post?
-
New build of FW.
-
just notice now that they released another update, version 1.10B03
New build of FW.
yes, thats what i wrote, the topic says verion B01 but they already release the B03, already updated and runing good.
what i meant is the link you post here should be to the new version
http://forums.dlink.com/index.php?topic=72768.0
-
Corrected. Thank you.