Re: Free Radius addon for ARM - security problems

claykin · ‎2014-07-24

The Free Radius app can be accessed by typing the following URL on the LAN. No authentication required to add/delete users. No security whatsoever.

https://IP of your NAS/apps/radius-app/users.php

Why doesn't this app adhere to the user security built into the OS? Allow me to assign who can manage.... Something!

claykin · ‎2014-08-11

No response? Can someone fix the Radius app to require a NAS admin login to change settings. Or, apply an app level admin username/password?

The current method is poor security.

chirpa · ‎2014-08-11

NTGR should be doing more in-depth qualification of addons. Right now it seems like a flashmob of approvals/additions to try and catch up to Synology's offerings, without doing sanity checks like this. Stuff under /apps/ should get an umbrella auth system too from the OS.

mdgm-ntgr · ‎2014-08-11

App updates are up to the developer. There are other issues reported with this app and it hasn't been updated in some time.

claykin · ‎2014-08-12

mdgm wrote:
App updates are up to the developer. There are other issues reported with this app and it hasn't been updated in some time.

Netgear is giving too much freedom if they are allowing plugin apps to be accessible without reasonable security checks. A recipe for disaster.

I checked Synology and they do not allow access to their Radius app from users other than admins or those with permission.

Simple, fix it Netgear!

StephenB · ‎2014-08-13

claykin wrote:
Simple, fix it Netgear!

The only fix netgear can make is to remove the app - which of course is sometimes the right solution.

I agree that with Chirpa that the up-front qualification should find stuff like this.

mdgm-ntgr · ‎2014-08-13

If you have SSH access you should be able to add a .htaccess file to add some security.