Reply

Re: Free Radius addon for ARM - security problems

claykin
Aspirant

Free Radius addon for ARM - security problems

The Free Radius app can be accessed by typing the following URL on the LAN. No authentication required to add/delete users. No security whatsoever.

https://IP of your NAS/apps/radius-app/users.php

Why doesn't this app adhere to the user security built into the OS? Allow me to assign who can manage.... Something!
Message 1 of 7
claykin
Aspirant

Re: Free Radius addon for ARM - security problems

No response? Can someone fix the Radius app to require a NAS admin login to change settings. Or, apply an app level admin username/password?

The current method is poor security.
Message 2 of 7
chirpa
Luminary

Re: Free Radius addon for ARM - security problems

NTGR should be doing more in-depth qualification of addons. Right now it seems like a flashmob of approvals/additions to try and catch up to Synology's offerings, without doing sanity checks like this. Stuff under /apps/ should get an umbrella auth system too from the OS.
Jedi Council Alumni | See my profile About page for my ReadyNAS history (2004-2012) |
https://twitter.com/chirpah/status/852389882764840960/photo/1
Message 3 of 7
mdgm-ntgr
NETGEAR Employee Retired

Re: Free Radius addon for ARM - security problems

App updates are up to the developer. There are other issues reported with this app and it hasn't been updated in some time.
Message 4 of 7
claykin
Aspirant

Re: Free Radius addon for ARM - security problems

mdgm wrote:
App updates are up to the developer. There are other issues reported with this app and it hasn't been updated in some time.


Netgear is giving too much freedom if they are allowing plugin apps to be accessible without reasonable security checks. A recipe for disaster.

I checked Synology and they do not allow access to their Radius app from users other than admins or those with permission.

Simple, fix it Netgear!
Message 5 of 7
StephenB
Guru

Re: Free Radius addon for ARM - security problems

claykin wrote:
Simple, fix it Netgear!
The only fix netgear can make is to remove the app - which of course is sometimes the right solution.

I agree that with Chirpa that the up-front qualification should find stuff like this.
Message 6 of 7
mdgm-ntgr
NETGEAR Employee Retired

Re: Free Radius addon for ARM - security problems

If you have SSH access you should be able to add a .htaccess file to add some security.
Message 7 of 7
Top Contributors
Discussion stats
  • 6 replies
  • 4823 views
  • 0 kudos
  • 4 in conversation
Announcements