Reply

Re: FTP to USB Issue

SAPhil
Follower

FTP to USB Issue

I have configured my USB settings to allow FTP access via the internet. Leaving aside the issue that I don't like the fact that the only options are in effect no security or to use the router admin password Smiley Sad , my worry is that having connected via an ftp client program it is possible to access the all linux system files on the router as well as files on the usb key. This seems immensely dangerous to me. Is there a way to prevent this?
Message 1 of 9
haruharraharuko
Aspirant

Re: FTP to USB Issue

I have the same issue, looking into Telnetting into the router to solve this problem (http://forum1.netgear.com/showthread.php?t=68799&highlight=telnet) but I haven't been able to fix it yet.
Message 2 of 9
24Cnetg
Aspirant

Re: FTP to USB Issue

I have the same issue (DGND 3300 v2).

I allowed ftp access from the internet on an "admin protected" usb memory stick.

Anonymous ftp from the internet takes you to "\mnt".
If you cd to sub-directories, then once past "shares" the normal FTP commands are disabled, which is fine.
However, if instead you "cd .." you arrive at "\" and then can navigate to etc, var and so on. The permissions were at least "r-x" for ordinary users, but why expose any of that stuff? It does not look safe to me, like SAPhil said.
At least using the router menu to disable ftp access from the internet does seem to work.

Logging in as a random account name gets the (ironic) message that anonymous login is not allowed, but that is fine.

Logging in as "admin" (plus correct password) kind of works, it takes you to "\" (which turns out to be "\mnt" in the router file system) and then lets you cd to subdirectories and change stuff. Anyhow, it is behind a password so no security problem in that, although the initial mount point is strange.

It seems to me that anonymous ftp just has the wrong initial share point.
Which is a shame, as it makes the usb access from the internet too scary to use, for me anyway.

I briefly looked at https from the internet, but that looked even less secure, so I disabled that too.
Message 3 of 9
24Cnetg
Aspirant

Re: FTP to USB Issue

I did a little more research on what was visible using anonymous ftp from the internet, and after finding a plain text password, I resolved never to enable ftp to USB over the internet!

Just to be clear: I am not talking about anything on my usb memory stick, this is a plain text password on the router itself, readable by ftp over the internet, with an anonymous login, i.e. no password required.

This is such a huge security hole, I have to ask myself if I am missing something here. But as it stands, I will not enable ftp access over the internet. I would welcome suggestions. I cannot believe we are the first to discover this.
Message 4 of 9
Joe_
Apprentice

Re: FTP to USB Issue

24Cnetg wrote:
I would welcome suggestions.

Open a case at my.netgear.com and report the matter. You may need to request elevating to level 2 to get any attention.
Message 5 of 9
24Cnetg
Aspirant

Re: FTP to USB Issue

OK, I made an "Online Technical Submission", which I hope is the same thing.
I gave them rather fuller details than I have posted here.

There was no facility to request elevation.
Message 6 of 9
Scubbie
Apprentice

Re: FTP to USB Issue

24Cnetg wrote:
OK, I made an "Online Technical Submission", which I hope is the same thing.


Good. That is the correct section.

24Cnetg wrote:
I gave them rather fuller details than I have posted here.


To be expected. Posting such details in a public forum would be dangerous.

24Cnetg wrote:
There was no facility to request elevation.


You should get a response soon. When you do, promptly respond and politely request that as it may be beyond level 1 support, that it is escalated.
Message 7 of 9
Joe_
Apprentice

Re: FTP to USB Issue

24Cnetg wrote:
There was no facility to request elevation.

You may have to go through a few e-mail exchanges with level 1 first. They may ask you to try all sorts of things. Just don't let them frustrate you, eventually you can ask to have the matter elevated to level 2. Letting Netgear, particularly level 2, officially know about flaws is the only way we can expect to push for fixes.
Message 8 of 9
24Cnetg
Aspirant

Re: FTP to USB Issue

Joe_ wrote:
Just don't let them frustrate you...

I'll keep you all posted!

Letting Netgear, particularly level 2, officially know about flaws is the only way we can expect to push for fixes.

Good point.

Thanks, everybody, for the help.
Message 9 of 9
Top Contributors
Discussion stats
  • 8 replies
  • 4393 views
  • 0 kudos
  • 5 in conversation
Announcements