ryecoaaron
commented
4 years ago Yep, while I don't think someone is going to MITM a home NAS user, this was a copy&paste error from my testing on a local server. Fixed.
Closed 0xDAFE closed 4 years ago
ryecoaaron
commented
4 years ago Yep, while I don't think someone is going to MITM a home NAS user, this was a copy&paste error from my testing on a local server. Fixed.
Hi there,
I have noticed that the install scripts downloads the omvextras deb package and explicitly ignores TLS certificate validation.
See code.
wget --no-check-certificate ${url}/${file}Unless I am overlooking something, integrity of the downloaded package is not checked otherwise so this would allow a MITM attacker to execute malicious code with root privileges on your system.
In my opinion, there is no valid reason for making this the default behavior.