This article is more than 1 year old
Synology slings patch at buggy NAS boxens
Free photo peep for hacker creeps
Securify co-founder Cengiz Han Sahin says Synology has patched a remote vulnerability that allowed attackers to compromise its storage devices.
Sahin reported vulnerabilities that allowed web servers in Synology's Photo Station to be compromised to the vendor .
The hacker says Photo Station, which allows users to access their network access storage boxen over the internet, did not properly sanitise input.
"A command injection vulnerability was found in Synology Photo Station, which allows an attacker to execute arbitrary commands with the privileges of the web server," Sahin says in an advisory.
"An attacker can use this vulnerability to compromise a Synology DiskStation NAS, including all data stored on the NAS.
"It was found that Photo Station does not properly sanitise user input and as a result attackers can inject their own systems commands that will be executed by Photo Station."
Sahin says Photo Station also failed to protect against cross-site request forgery attacks allowing attackers to trick victims into visiting malicious sites to execute arbitrary commands on the box with web server privileges.
Synology did not make note of the nasty security flaws in its patch notice. ®
Biting the hand that feeds IT
