Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[Piotr]

Hardware Version: A1
Firmware Version: 1.08 beta
Software Version (Easy Search): 4.7.0.0 beta

Harddrive 1: Western Digital 1TB (WD10EACS-00ZJB0)
Harddrive 2: empty

Problem Type:

□ Other: security bug

Problem Description:

Everybody can access BT without authentication using direct link.

Function Tested: apkg bittorrent 1.00 beta

Test Procedure (steps to reproduce):

Just type this address in your browser: http://<put_dns323_ip_here>/imodule/BitTorrent/webui/fe02.asp

e.g. http://10.10.10.2/imodule/BitTorrent/webui/fe02.asp

To access BT settings page just type: http://<put_dns323_ip_here>/imodule/BitTorrent/webui/btsettings.asp

[sgip2000]

I can confirm this as well.

[Banshee1971]

same result from me !

[klein]

same result for me!!!

[Piotr]

Bug still present in 1.08b05 firmware !!!

Only this time type:
http://<yourdnsip>/imodule/BitTorrent/webui/fe02.asp?flag_btui=1

The way D-Link treats security bugs is unacceptable   (add flag_btui=1 to url and every user has easy access to your BT -> they can add their own torrents, delete your tasks etc.)
This is old bug (it was reported over a year ago -> 1.05 firmware) and it's still not properly fixed.

[JohnnyDemonic]

I actually like it this way, now I can view the whole torrent information without the screen being cut off.  Looks much better to me.  Your NAS should be behind a router and firewall already.  The security is fine as I see it.

I hope it stays this way for me at least.