Hello, first of all forgive me for my bad English, my native language is Spanish, I am new to the forum, although for years I have a DNS320L.
I have decided to write to give my opinion, about something that still, I do not see all I have to do to update my system.
I think there are big security and security breaches, probocados for the programming language used for access to the administration system (web). The use of a language that works on the client side as well as in Javascript and making inquiries directly is sometimes very vulnerable, since from the other side of the client you can see the code, facilitating the detection of errors and, consequently, using manually (already happened before with the user registration error)
In my opinion I think you should migrate the system to another type of language such as php, working on the server side and not the client.
- For example, the password in the access system is encrypted in base64 easily reversible, if that information is captured, it would be as simple as decode64 and we would have the real entry key. I think it can be improved by implementing another type of encrypted hash SH2 - SH3.
Also reference to access, since the filtering of the form is through javascript, it is easily manipulated to log in with blocked accounts
var re = / root | anonymous | nobody | administrator | ftp | guest | squeezecenter | sshd | messagebus | netdev / i;
giving one more point of insecurity to our system, instead of filtering the user on the server side.
In short, this is only my opinion, and an example of something I can not find a solution for years ago, I just wanted the only thing I do is contribute my bit.
I hope I'm wrong and that it's just a confusion, thanks
Author
Topic: New - DNS-320L - Firmware v1.010 B01 Comments & Observations (Read 9558 times)