[!!] Fix CVE-2021-35941 ... var/www/Admin/webapp/includes/component_config.php Add ADMIN_AUTH_LAN_ALL to system_factory_restore [!!] Fix CVE-2018-18472 ... - rootfs/var/www/Admin/webapp/includes/languageConfiguration.php (language param validation check) - rootfs/var/www/Admin/webapp/classes/api/1.0/rest/device/language_configuration.php (add owner check so that nobody can mess with your /etc/language.conf file???) ... why can everybody do POST/PUT ? it is ok that everybody can change /etc/language.conf??? var/www/Admin/webapp/classes/api/1.0/rest/nascontroller.php: 1. Domains like wdtest*.com are available for registration... => outputCorsHeader wird beeinflusst... ... ist das Schlimm? => sollten auskommentiert werden! 2. The substr() test is broken, i.e., it’ll match hijackerwdtest.com. usr/local/sbin/wd2go.sh => "98.107.148.218" or "198.107.148.218"??? => what if the ips/domains are not belonging to WD anymore? are we in danger then? var/www/Admin/webapp/config/globalconfig.ini => communicationmanagerd disable var/www/test.html => can it be removed? usr/local/orion/communicationmanager => should this be disabled due to security reasons? // FOLLOWING LINES IN THE COMPONENT-CONFIG HAVE NO AUTHENTICATE-DEFINITION! // WE SHOULD CHECK IF THERE ARE BAD THINGS IN THEM 'alert_configuration' => array('alerts/alert_configuration.php','Alert_configuration'), 'alert_notify' => array('alerts/alert_notify.php','Alert_notify'), 'alert_test_email' => array('alerts/alert_configuration_test.php','Alert_configuration_test'), 'alerts' => array('alerts/alerts.php','Alerts'), 'config' => array('config/config.php','Config'), //DO *NOT* SET ANY AUTHENTICATION FOR CONFIG, it internally blocks any request not from localhost 'copy_local_server_share' => array('shares/copy_local_server_share.php','Copy_local_server_share'), 'copy_status' => array('storage/copy_status.php','Copy_status'), 'date_time_configuration' => array('device/date_time_configuration.php','Date_time_configuration'), 'device_description' => array('device/device_description.php','Device_description'), 'device_registration' => array('device/device_registration.php','Device_registration'), 'disk_status' => array('disk/disk_status.php','Disk_status'), 'display_alert' => array('alerts/displayalert.php','DisplayAlert'), 'eula_acceptance' => array('device/eula_acceptance.php','Eula_acceptance'), 'firmware_info' => array('firmware/firmware_info.php','Firmware_info'), 'firmware_update' => array('firmware/firmware_update.php','Firmware_update'), 'firmware_update_configuration' => array('firmware/firmware_update_configuration.php','Firmware_update_configuration'), 'hdd_standby_time' => array('disk/hdd_standby_time.php','Hdd_standby_time'), 'hidden_share_files' => array('shares/hidden_share_files.php','Hidden_share_files'), 'itunes_configuration' => array('itunes/itunes_configuration.php','Itunes_configuration'), 'itunes_scan' => array('itunes/itunes_scan.php','Itunes_scan'), 'language_configuration' => array('device/language_configuration.php','Language_configuration'), // <==== CVE-2018-18472 'local_servers' => array('local_servers/local_servers.php','Local_servers'), 'local_server_shares' => array('local_servers/local_server_shares.php','Local_server_shares'), 'media_server_configuration' => array('media_server/media_server_configuration.php','Media_server_configuration'), 'media_server_connected_list' => array('media_server/media_server_connected_list.php','Media_server_connected_list'), 'media_server_blocked_list' => array('media_server/media_server_blocked_list.php','Media_server_blocked_list'), 'mionet_state' => array('mionet/mionet_state.php','Mionet_state'), 'mionet_registered' => array('mionet/mionet_registered.php','Mionet_registered'), 'network_configuration' => array('network/network_configuration.php','Network_configuration'), 'network_services_configuration'=> array('network/network_services_configuration.php','Network_services_configuration'), 'network_workgroup' => array('network/network_workgroup.php','Network_workgroup'), 'owner_configuration' => array('users/owner_configuration.php','Owner_configuration'), 'port_test' => array('porttest/porttest.php','PortTest'), //DO *NOT* SET ANY AUTHENTICATION for port_test: it is called from the Server and there is no security risk to leaving it open 'share_access_configuration' => array('shares/share_access_configuration.php','Share_access_configuration'), 'shutdown' => array('system_configuration/shutdown.php','Shutdown'), 'smart_test' => array('disk/smart_test.php','Smart_test'), 'ssh_configuration' => array('network/ssh_configuration.php','Ssh_configuration'), 'status' => array('status/status.php','Status'), 'storage_usage' => array('storage/storage_usage.php','Storage_usage'), 'storage_usage_by_share' => array('storage/storage_usage_by_share.php','Storage_usage_by_share'), 'system_configuration' => array('system_configuration/system_configuration.php','System_configuration'), 'system_factory_restore' => array('system_configuration/system_factory_restore.php','System_factory_restore'), // <==== CVE-2021-35941: Argument 3 should be ADMIN_AUTH_LAN_ALL 'system_information' => array('system_reporting/system_information.php','System_information'), 'system_log' => array('system_reporting/system_log.php','System_log'), 'system_state' => array('system_reporting/system_state.php','System_state'), 'time_zones' => array('device/time_zones.php','Time_zones'), 'vft_configuration' => array('system_configuration/vft_configuration.php','Vft_configuration'), QUE: not protected "as owner"? - classes/api/1.0/rest/device/device_registration.php - classes/api/1.0/rest/device/eula_acceptance.php - classes/api/1.0/rest/disk/smart_test2.php - classes/api/1.0/rest/drives/drives.php - classes/api/1.0/rest/remoteuser/remoteaccount.php - classes/api/1.0/rest/system_reporting/system_log.php - classes/api/1.0/rest/usb_drive/usb_drive.php - ... ?