Full Disclosure mailing list archives
SSD Advisory – QNAP HelpDesk SQL Injection
From: Maor Shwartz <maors () beyondsecurity com>
Date: Mon, 9 Oct 2017 17:30:09 +0300
SSD Advisory – QNAP HelpDesk SQL Injection Full report: https://blogs.securiteam.com/index.php/archives/3469 Twitter: @SecuriTeam_SSD Weibo: SecuriTeam_SSD Vulnerability Summary The following advisory describes a SQL injection found in QTS Helpdesk versions 1.1.12 and earlier. QNAP helpdesk: “Starting from QTS 4.2.2 you can use the built-in Helpdesk app to directly submit help requests to QNAP from your NAS. To do so, ensure your NAS can reach the Internet, open Helpdesk from the App Center, and create a new Help Request. Helpdesk will automatically collect and attach NAS system information and system logs to your request, and you can provide other information such as the steps necessary to reproduce the error, the error message and screenshots so we can identify the problem faster.” Credit An independent security researcher, Kacper Szurek, has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program. Vendor response QNAP has released patches to address this vulnerability. For more information: https://www.qnap.com/en/security-advisory/nas-201709-29 CVE: CVE-2017-13068 -- Thanks Maor Shwartz Beyond Security GPG Key ID: 93CC36E2DE7FF514
Attachment:
SSD Advisory – QNAP HelpDesk SQL Injection – SecuriTeam Blogs.pdf
Description:
_______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- SSD Advisory – QNAP HelpDesk SQL Injection Maor Shwartz (Oct 10)