NAS540: Web login broken with firmware version V5.21(AATB.4) / Passwords with special chars
Options
Haeberle
Posts: 1
Hi,
just wanted to tell you a glitch that appeared in this firmware, and possibly locks you out of your web admin interface. Affected Firmware:
NAS540
Firmware-Version:V5.21(AATB.4)
Appeared Feb/Mar 2020
The web interface login in this firmware started to have problems with passwords that contain other characters than (possibly, not tested) a-z,A-Z,0-9. The problem is also that the web interface does not prevent you from setting a password for an admin, with a character other than the ones above.
In my case, the existing admin had a password containing an exclamation mark '!'. After the update, the web interface login was no longer possible. Samba shares and SSH / Telnet are not affected.
I edited /etc/samba/smbpasswd using SSH, and replaced the admin password hash with the one from /etc/samba/smbpasswd.default (='1234'). After that, the web interface login worked, and I was able to set the admin password to something without '!'. I also tested for '$' - also not possible.
Since the web interface allows to set such passwords, I consider this a (dangerous) bug. Please fix, Zyxel!
Hope that helps everyone with the same problem.
Cheers!
#NAS_Mar_2020
just wanted to tell you a glitch that appeared in this firmware, and possibly locks you out of your web admin interface. Affected Firmware:
NAS540
Firmware-Version:V5.21(AATB.4)
Appeared Feb/Mar 2020
The web interface login in this firmware started to have problems with passwords that contain other characters than (possibly, not tested) a-z,A-Z,0-9. The problem is also that the web interface does not prevent you from setting a password for an admin, with a character other than the ones above.
In my case, the existing admin had a password containing an exclamation mark '!'. After the update, the web interface login was no longer possible. Samba shares and SSH / Telnet are not affected.
I edited /etc/samba/smbpasswd using SSH, and replaced the admin password hash with the one from /etc/samba/smbpasswd.default (='1234'). After that, the web interface login worked, and I was able to set the admin password to something without '!'. I also tested for '$' - also not possible.
Since the web interface allows to set such passwords, I consider this a (dangerous) bug. Please fix, Zyxel!
Hope that helps everyone with the same problem.
Cheers!
#NAS_Mar_2020
0
Comments
Categories
- All Categories
- 398 Beta Program
- 2.1K Nebula
- 117 Nebula Ideas
- 83 Nebula Status and Incidents
- 5.2K Security
- 99 USG FLEX H Series
- 247 Security Ideas
- 1.3K Switch
- 69 Switch Ideas
- 922 WirelessLAN
- 35 WLAN Ideas
- 5.9K Consumer Product
- 212 Service & License
- 337 News and Release
- 71 Security Advisories
- 21 Education Center
- 5 [Campaign] Zyxel Network Detective
- 2.1K FAQ
- 1K Nebula FAQ
- 445 Security FAQ
- 238 Switch FAQ
- 213 WirelessLAN FAQ
- 47 Consumer Product FAQ
- 142 Service & License FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 72 About Community
- 62 Security Highlight