Entries by Mark Woods

QNAP Signage Station: Publish and Be Damned (Part 2)

tl;dr Nettitude has discovered that the iArtist application is vulnerable to CWE-290 Authentication Bypass by Spoofing. This flaw can be leveraged to remove the need to supply valid credentials when uploading a presentation. Additionally, the Signage Station system suffers from CWE-768 Use of Hard-coded Credentials. This grants access to the host NAS FTP service and […]

QNAP Signage Station: Publish and Be Damned (Part 1)

tl;dr Nettitude researchers have discovered that QNAP Signage Station is vulnerable to CWE-434, Unrestricted Upload of File with Dangerous Type. This flaw can be leveraged by a low privileged remote user to gain interactive system access as a member of the Administrator’s group. Introduction Signage Station is a QNAP authored application that runs on a […]