This thread is based on the advisory I published at
https://www.trustwave.com/spiderlabs/advisories/TWSL2013-019.txt.
The advisory discusses the following vulnerabilities in the current firmware version (as of this writing):
Lack of authentication on web console by default
Insufficient Authorization Checks
-Firmware Update
-Settings backup
-Test Lua code
Path Traversal
Cross-Site Request Forgery
Lack of authentication on UPnP daemon
Vulnerable libupnp Version
Server Side Request Forgery
Unconfirmed Authentication Bypass
Here are some short-form fix suggestions for each:
Lack of authentication on web console by default
===
Enable authentication on the web console by default, and enable SSL. Either use a CA-signed cert with a generic domain that resolves to your Vera's IP address (in the same way that the detect_unit.php script does) or generate a self-signed CA certificate and SSL certificate and ask the user to install the cert to resolve the browser warning about self-signed certificates.
Insufficient Authorization Checks
===
Firmware Update - Do not allow Guest users to update firmware. Implement digital signature on firmware to be able to distinguish stock firmware from modded versions.
Settings backup - Do not allow Guest users to generate backups. Encrypt backup file so that its contents cannot be read or modified by an attacker.
Test Lua code - Do not allow Guest users to run Lua code. Do not run tested Lua code as root.
Path Traversal
===
Do not allow slashes in filename parameter provided to "get_file.sh".
Cross-Site Request Forgery
===
Incorporate an unpredictable element into each sensitive request to prevent cross-site request forgery attacks.
Lack of authentication on UPnP daemon
===
UPnP is an inherently dangerous protocol. I recommend disabling it by default and giving users an option to re-enable it if desired, with a warning about UPnP being unauthenticated and unencrypted. I also recommend removing the "RunLua" action, or at least adding a password to prevent unauthorized access (This does not prevent someone from eavesdropping, but it prevents remote attacks if people really must use UPnP.)
Vulnerable libupnp Version
===
Update the version of libupnp in use to the latest version.
Server Side Request Forgery
===
I don't have any good ideas for fixing this, since the only real way to fix this is to disable it.
Unconfirmed Authentication Bypass
===
MCV says that they have checked and that this is not a vulnerability. Additionally, it seems they are changing the remote access architecture. So, moot point.
If you see a problem with one of these suggestions, or have a better idea on how to fix something, please post a reply!
EDIT Aug 30 7:14 CT: Updated table of contents to add dashes indicating subitems to "Insufficient Authorization Checks" item.