TerraMaster Official Forum

What do you say about the python script TM?

I am hoping you now found the vulnerability, which looks like it is extremely easy to hack any of your nas devices.

So stop saying that it is our password and start accepting that it is your TOS that has a big hole in it.

the TOS PHP scripts are encoded with something like zend guard so can't see what they do wrong :(

https://thatsn0tmy.site/posts/2021/12/h ... mmon-rces/ found this write up, this is just terrible

REBELinBLUE wrote:
> https://thatsn0tmy.site/posts/2021/12/h ... mmon-rces/ found this write
> up, this is just terrible

Bloody hell that's bad news. I note that its dated December 2021. So looks like its being exploited. TM this needs to be fixed ASAP or reinstalling the NAS will just lead to a a further issue with people's data.
@TMRoy, we need to know what TM's plans are?

Wow, that was not hard. The write up clearly explains the whole exploit.

Hoping TM now knows what went wrong.

FIX IT TM, right now !

As a PHP Engineering Team Lead there are quite a few things in this code which would be a no no!

function __construct()
{
global $in, $config, $db, $L;
...


globals are always a sign of bad design... That would automatically disqualify any candidate 😂

I have now pulled plug on my TM, no way can this kind of S@£$ security be in any way excused.This is sloppy and shows no sign of any security audits, no sign of penetration testing on quality control. I know TM is at the budget end of the NAS market, but this is not acceptable , you are storing people's data (and in many cases their irreplaceable data). I was prepared to give TM the benefit of the doubt, but not for this.
Still I suppose we can now expect lots of pictures of Pugs! :(

I don't think TM is going to respond now. The evidence is out. They made a huge mistake with their quality control, especially in the security part of the product.

Open Source development is always going to be a problem unless the developers have strong knowledge of security.

NavinKanus wrote:
> Open Source development is always going to be a problem unless the
> developers have strong knowledge of security.

The thing is TOS isn't opensource, arguably if it were this would have been found sooner and by someone who wasn't looking to exploit it (not saying the person who posted that blog is responsible for exploiting it but they certainly make it sound like that was their intention and it doesn't sound like they reported it to TerraMaster before disclosing it publicly).

One of the first things I did when I got mine and noticed it was running PHP was pretty much the same as this guy, except when I found out the PHP files were encoded I gave up as I wasn't interested enough to try and reverse engineer them; I'm sure there are many people who are the same; so instead it was left to someone more determined to find actually exploits, either for bad purposes or to make a name for themselves rather than just the people who use the software and are interested in the workings of it.

Already passed this info to the tech team, I believe that they will have a patch soon for such an issue.