Re: Free Radius addon for ARM - security problems

claykin · ‎2014-07-24

The Free Radius app can be accessed by typing the following URL on the LAN. No authentication required to add/delete users. No security whatsoever.

https://IP of your NAS/apps/radius-app/users.php

Why doesn't this app adhere to the user security built into the OS? Allow me to assign who can manage.... Something!

ReadyNas - RNDX4210 with 4 x Seagate 1TB ES.2 disks (w/good firmware). RAIDIATOR V4.2.26.
Submitting logs to support. | Netgear HCL/compatibility list. | Readynas comparison chart. | Readynas How To Guides. | Great tips from dbott67. | Great tips from mdgm. | Prevent catastrophic data loss.

claykin · ‎2014-08-11

No response? Can someone fix the Radius app to require a NAS admin login to change settings. Or, apply an app level admin username/password?

The current method is poor security.

ReadyNas - RNDX4210 with 4 x Seagate 1TB ES.2 disks (w/good firmware). RAIDIATOR V4.2.26.
Submitting logs to support. | Netgear HCL/compatibility list. | Readynas comparison chart. | Readynas How To Guides. | Great tips from dbott67. | Great tips from mdgm. | Prevent catastrophic data loss.

chirpa · ‎2014-08-11

NTGR should be doing more in-depth qualification of addons. Right now it seems like a flashmob of approvals/additions to try and catch up to Synology's offerings, without doing sanity checks like this. Stuff under /apps/ should get an umbrella auth system too from the OS.

Jedi Council Alumni | See my profile About page for my ReadyNAS history (2004-2012) |
https://twitter.com/chirpah/status/852389882764840960/photo/1

mdgm-ntgr · ‎2014-08-11

App updates are up to the developer. There are other issues reported with this app and it hasn't been updated in some time.

Useful links: Sending Logs|My ReadyNAS Gear|FAQ|Hardware Compatibility List|Docs: Setup Guide, Manual|Downloads|Unofficial Tips|GPL|MDGM on Twitter|MDGM's Unofficial Guides
NB: A ReadyNas is not an excuse not to have a backup. Fire, theft, multiple disk failures, other hardware failure, floods, user negligence etc. can all result in loss of data.
How to contact NETGEAR Technical Support | Australia: 1300 361 254 / Other Numbers|Online Submission
Unofficial Guide for Moving from Sparc ReadyNAS to x86 ReadyNAS|Using Gmail with the ReadyNAS|XRAID Volume Size Calculator

claykin · ‎2014-08-12

mdgm wrote:
App updates are up to the developer. There are other issues reported with this app and it hasn't been updated in some time.

Netgear is giving too much freedom if they are allowing plugin apps to be accessible without reasonable security checks. A recipe for disaster.

I checked Synology and they do not allow access to their Radius app from users other than admins or those with permission.

Simple, fix it Netgear!

ReadyNas - RNDX4210 with 4 x Seagate 1TB ES.2 disks (w/good firmware). RAIDIATOR V4.2.26.
Submitting logs to support. | Netgear HCL/compatibility list. | Readynas comparison chart. | Readynas How To Guides. | Great tips from dbott67. | Great tips from mdgm. | Prevent catastrophic data loss.

StephenB · ‎2014-08-13

claykin wrote:
Simple, fix it Netgear!

The only fix netgear can make is to remove the app - which of course is sometimes the right solution.

I agree that with Chirpa that the up-front qualification should find stuff like this.

mdgm-ntgr · ‎2014-08-13

If you have SSH access you should be able to add a .htaccess file to add some security.

Useful links: Sending Logs|My ReadyNAS Gear|FAQ|Hardware Compatibility List|Docs: Setup Guide, Manual|Downloads|Unofficial Tips|GPL|MDGM on Twitter|MDGM's Unofficial Guides
NB: A ReadyNas is not an excuse not to have a backup. Fire, theft, multiple disk failures, other hardware failure, floods, user negligence etc. can all result in loss of data.
How to contact NETGEAR Technical Support | Australia: 1300 361 254 / Other Numbers|Online Submission
Unofficial Guide for Moving from Sparc ReadyNAS to x86 ReadyNAS|Using Gmail with the ReadyNAS|XRAID Volume Size Calculator