Tick-tock
Ah, found here, the most important thing to me: "Date Notified: 04 Dec 2015". No mention of the problem or the 'mitigation' from the vendor after 2 months?
Anybody know of a site where vendors are rated by response time?
Two dangerous un-patched remote code execution vulnerabilities that allow access to God-mode system privileges have been reported in Netgear's ProSafe Network Management 300 management software. The file upload vulnerability (CVE-2016-1524) and restricted directory traversal (CVE-2016-1525) allow unauthenticated attackers to …
Is it wise using a web server/client browser to control a security device? This being a big selling point, everything has to be browser based, perish the thought someone would have to read the RFC. Now where do I click to control my fusion reactor, whoops, error in java applet, meltdown in twenty seconds ...
"NMS300 Software Release 1.5.0.11"
http://kb.netgear.com/app/answers/detail/a_id/30208
Is it wise using a web server/client browser to control a security device?
If the embedded web server software is designed and written correctly, then there's no problem.
If you don't use a browser, you'll be using some kind of app to do the same thing, which, really, isn't that much different in terms of security.
The only way to completely avoid this, is to physically connect to the device (e.g. serial port) But that has proven to be consumer unfriendly.
No, the whole web stack is pathetically insecure by design, with a lot of attempts to bolt security on it. It was designed for hyperlinked documents, not secure applications. And it was extended by companies with more interest in reaching more users at any price, than in a well designed, secure framework. Especially since it doesn't transfer data only, but also the client application code - and, like in this case, is also far easier to mess with the server application code due to the very generic nature of the web servers used, which usually have an attack surface far larger than needed.
The use, often, of cheap libraries (and sometimes older version as well) to code this kind of applications doesn't help either.
After all that's the Unix philosophy - get an existing wrong tool, an hammer, and try to shape it do to something else - badly. Never implement something better and well designed.