What's new

Vulnerable outdated jQuery used in 386.7_2 (current latest version)

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Do you have any POC that can exploit any of these while not logged into the router?

Keep in mind that most issues are really for public-facing websites. All the jquery-based pages in the firmware are not accessible unless you are already logged in, at which point you already have full access to the router.
 
Do you have any POC that can exploit any of these while not logged into the router?
Not really, i just found this firmware (asus merlin) before couple of days ago.

Keep in mind that most issues are really for public-facing websites.
Thats true, but not sure its a good idea to gamble on the security for outdated software VS well yeah do you have a POC otherwise everything is just fine until then..

Anyway just wanted to point out this since no thread talked about it.
 
Last edited:
Not really, i just found this firmware (asus merlin) before couple of days ago.


Thats true, but not sure its a good idea to gamble on the security for outdated software VS well yeah do you have a POC otherwise everything is just fine until then..

Anyway just wanted to point out this since no thread talked about it.
I considered upgrading jquery a few years ago, however the current built-in version is so old, there would be a lot of regression testing required, so I'd rather leave that up to Asus, unless an actual exploit comes up, at which point I can put some pressure on them to update it.
 
I considered upgrading jquery a few years ago, however the current built-in version is so old, there would be a lot of regression testing required, so I'd rather leave that up to Asus, unless an actual exploit comes up, at which point I can put some pressure on them to update it.
No code is bulletproof, and in an ideal world we'd pentest everything and patch it, but I believe your approach is the best one keep keep a healthy long-term open relationship with Asus. Keeping things casual and professional.

I still wish upstream partners would F(L)OSS their code so projects like OpenWRT could release firmware for our lovely AX86U routers (and others).
 
I still wish upstream partners would F(L)OSS their code so projects like OpenWRT could release firmware for our lovely AX86U routers (and others).
Broadcom are highly paranoid when it comes to IP protection. For crying out loud, they even had "Confidential/Proprietary" headers on some Makefiles...
 
Broadcom are highly paranoid when it comes to IP protection. For crying out loud, they even had "Confidential/Proprietary" headers on some Makefiles...
Jeez, that's pretty extreme.
Of course, I understand why they want to protect their work and intellectual property. (FOSS doesn't pay the bills etc), but yeah, pretty extreme.
 

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top