D-Link Forums
The Graveyard - Products No Longer Supported => DNS-323 => D-Link Storage => Beta code! => Topic started by: Piotr on May 16, 2009, 06:38:18 AM
-
Hardware Version: A1
Firmware Version: 1.08 beta
Software Version (Easy Search): 4.7.0.0 beta
Harddrive 1: Western Digital 1TB (WD10EACS-00ZJB0)
Harddrive 2: empty
Problem Type:
□ Other: security bug
Problem Description:
Everybody can access BT without authentication using direct link.
Function Tested: apkg bittorrent 1.00 beta
Test Procedure (steps to reproduce):
Just type this address in your browser: http://<put_dns323_ip_here>/imodule/BitTorrent/webui/fe02.asp
e.g. http://10.10.10.2/imodule/BitTorrent/webui/fe02.asp
To access BT settings page just type: http://<put_dns323_ip_here>/imodule/BitTorrent/webui/btsettings.asp
-
I can confirm this as well.
-
same result from me !
-
same result for me!!!
-
Bug still present in 1.08b05 firmware !!!
Only this time type:
http://<yourdnsip>/imodule/BitTorrent/webui/fe02.asp?flag_btui=1
The way D-Link treats security bugs is unacceptable >:( (add flag_btui=1 to url and every user has easy access to your BT -> they can add their own torrents, delete your tasks etc.)
This is old bug (it was reported over a year ago -> 1.05 firmware) and it's still not properly fixed.
-
I actually like it this way, now I can view the whole torrent information without the screen being cut off. Looks much better to me. Your NAS should be behind a router and firewall already. The security is fine as I see it.
I hope it stays this way for me at least.