Menu
What's new
By:
Filters Better Search

Vulnerable outdated jQuery used in 386.7_2 (current latest version)

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

H

Hardenizer

New Around Here
 
Last edited:
Do you have any POC that can exploit any of these while not logged into the router?

Keep in mind that most issues are really for public-facing websites. All the jquery-based pages in the firmware are not accessible unless you are already logged in, at which point you already have full access to the router.
 
RMerlin said:
Do you have any POC that can exploit any of these while not logged into the router?
Click to expand...
Not really, i just found this firmware (asus merlin) before couple of days ago.

RMerlin said:
Keep in mind that most issues are really for public-facing websites.
Click to expand...
Thats true, but not sure its a good idea to gamble on the security for outdated software VS well yeah do you have a POC otherwise everything is just fine until then..

Anyway just wanted to point out this since no thread talked about it.
 
Last edited:
Hardenizer said:
Not really, i just found this firmware (asus merlin) before couple of days ago.


Thats true, but not sure its a good idea to gamble on the security for outdated software VS well yeah do you have a POC otherwise everything is just fine until then..

Anyway just wanted to point out this since no thread talked about it.
Click to expand...
I considered upgrading jquery a few years ago, however the current built-in version is so old, there would be a lot of regression testing required, so I'd rather leave that up to Asus, unless an actual exploit comes up, at which point I can put some pressure on them to update it.
 
RMerlin said:
I considered upgrading jquery a few years ago, however the current built-in version is so old, there would be a lot of regression testing required, so I'd rather leave that up to Asus, unless an actual exploit comes up, at which point I can put some pressure on them to update it.
Click to expand...
No code is bulletproof, and in an ideal world we'd pentest everything and patch it, but I believe your approach is the best one keep keep a healthy long-term open relationship with Asus. Keeping things casual and professional.

I still wish upstream partners would F(L)OSS their code so projects like OpenWRT could release firmware for our lovely AX86U routers (and others).
 
domic said:
I still wish upstream partners would F(L)OSS their code so projects like OpenWRT could release firmware for our lovely AX86U routers (and others).
Click to expand...
Broadcom are highly paranoid when it comes to IP protection. For crying out loud, they even had "Confidential/Proprietary" headers on some Makefiles...
 
RMerlin said:
Broadcom are highly paranoid when it comes to IP protection. For crying out loud, they even had "Confidential/Proprietary" headers on some Makefiles...
Click to expand...
Jeez, that's pretty extreme.
Of course, I understand why they want to protect their work and intellectual property. (FOSS doesn't pay the bills etc), but yeah, pretty extreme.
 
You must log in or register to reply here.

Similar threads

Voxel
Voxel Custom firmware build for Orbi LBR20 v. 9.2.5.2.43SF-HW
Replies
2
Views
360
nordicboy
N
Voxel
Voxel Custom firmware build for Orbi RBK50/RBK53 (RBR50, RBS50) v. 9.2.5.2.33SF-HW
Replies
10
Views
847
quackamole
Q
Voxel
Voxel Custom firmware build for R7800 v. 1.0.2.107SF
Replies
14
Views
1K
jerry6
jerry6
Voxel
Voxel Custom firmware build for R9000/R8900 v. 1.0.4.73HF
Replies
3
Views
343
Kitsap
K
Voxel
Voxel Custom firmware build for R9000/R8900 v. 1.0.4.72HF
Replies
13
Views
1K
Kitsap
K

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 667 (members: 12, guests: 655)
Top