- changed status to resolved
Concerns about commit 6e1ef2f
Issue #171
resolved
Commit 6e1ef2f adds the --no-check-certificate
option to wget in scripts. I believe this introduces a significant security issue. While, admittedly, I’m not too familiar with the internals of FreshTomato, at least one of the scripts (release/src-rt-6.x.4708/router/others/entware-install.sh) appears to enable remote code execution for an attacker in MITM position with this new option as it fetches files which are meant to be executed. I can’t see any reason why this option needs to be included and believe that it should be removed for security.
Comments (1)
-
repo owner - Log in to comment
https://bitbucket.org/pedro311/freshtomato-arm/commits/26562e36c6b6c6af425e374cdc56f267fcd60a3b