← Back to Home

All posts tagged “hack”

Synology DSM 6.x Access any user's downloads

A little backstory

A few weeks ago, I decided to build a little tool for my Synology Download Station, since I was not quite satisfied with the features DS Download offered me for simple monitoring. However, while testing out the API as it was documented in official API docs, I stumbled upon some rather unusual behaviour, that allows you to access details of any download task, even if it does not belong to the user you're authenticated as.
While this actually is a security issue, as Synology confirmed upon my report, I do not think that users would rate their download tasks crucial information. And those who do might not even share their Download Station access with other users to begin with. So while this is obviously a bug that needs to - and according to their response will be - fixed, it is not a terrible leak but more of a reminder of an age old discussion.

The tale of incremental ID's

There have been numerous discussion about this topic in the past, and I think this little bug is a good reminder of why you should not use incremental ID's. If we break our System down to the very basic, whatever it may be, as soon as it involves access control, there are two main factors that decide whether or not a user can access a certain resource:

Read more →

Using a custom login style on a Synology DiskStation

Requirements and Goals

This article is aimed towards people who want to customize the login screen of their Synology Disk Station beyond the possibilities the settings UI offers. This does however require some basic knowledge of the underlying technology of both, the system and the web overview. It also requires logging in to your disk station via terminal, which, while is possible with only basic knowledge, is always a certain risk. Please be careful, when tinkering around on your device!

The scripts and examples in this article are used to manipulate the CSS and Favicon of your Disk Station's login screen. With the information given, it is technically possible to perform additional changes, such as completely altering the login screen's HTML, though I would not recommend doing this.

Read more →