Issues with firmware V5.21(AAZF.7) on NAS326

2

Comments

  • masterflai
    masterflai Posts: 19  Freshman Member
    Thanks for the reply Steven. I resetted the password yesterday with the mentioned method. It was the same procedure after installing the patch before.

    Is it true, that the current status of the firmware is not to use special charaters? If so, why don't ZyXEL also modified the webpage (user administration), where a user can enter a new password?
  • Zyxel_Steven
    Zyxel_Steven Posts: 247  Zyxel Employee
    edited March 2020
    Is it true, that the current status of the firmware is not to use special charaters? If so, why don't ZyXEL also modified the webpage (user administration), where a user can enter a new password?
    @masterflai,
    We will fix it in next official firmware to forbid user can modify the new password include special characters !  #  $  %  &  (  -  | to cause login issue.
  • Mijzelf
    Mijzelf Posts: 2,050
    100 Answers 1000 Comments Friend Collector Fourth Anniversary
     Guru Member
    @Zyxel_Steven : Can you elaborate on that? I don't see how ! ( and - can trigger the bug. But I can trigger the bug without any of the characters you list here:

    wget http://nas520.lan/adv,/cgi-bin/weblogin.cgi --post-data="username=a';touch /tmp/x;'"

    will create a file /tmp/x

  • masterflai
    masterflai Posts: 19  Freshman Member
    @Zyxel_Steven : In this context, would not a proper input validation be much more useful and the correct way to deal with the threat? In my eyes, prohibiting special characters is at most a workaround to save time.

    Please dear ZyXEL team, do it better this time. You can do it if you try hard.

  • Zyxel_Steven
    Zyxel_Steven Posts: 247  Zyxel Employee
    edited March 2020

    Updated.

    NAS326: V5.21(AAZF.8)C0
    NAS520: V5.21(AASZ.4)C0
    NAS540: V5.21(AATB.5)C0
    NAS542: V5.21(ABAG.5)C0


    The release note is in the attachment.
  • Mirolein
    Mirolein Posts: 2  Freshman Member
    When is this Update  V5.21(AAZF.8)C0 available ??
  • Mel
    Mel Posts: 83  Ally Member
    Hi Mirolein,

    You can go to Control Panel > System > FW Upgrade > Latest Firmware Check to upgrade it or download FW and upgrade it manually at Manual Firmware Upgrade. (ftp://ftp2.zyxel.com/NAS326/firmware/)

  • Mirolein
    Mirolein Posts: 2  Freshman Member
    Thank you, i got it with System - Upgrade 
  • Bliko01
    Bliko01 Posts: 6  Freshman Member
    With that version, the problem with special character is still there
    V5.21(AAZF.9)C0
    You really do not feel good when your are unable to log in :-(
    And if yo try to reset the password and you type again a password with special character it still doesn't work. You have to find that forum to undesrtand what is wrong
  • Zyxel_Jerry
    Zyxel_Jerry Posts: 631
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 25 Answers 500 Comments
     Guru Member
    Dear Sir,

    On the latest firmware, the special character is not able to put into the password
    Please refer to the FAQ below

Consumer Product Help Center