Reply

Re: Curl does not work any more since upgrade to 6.9.3 on RN316

Patou034
Aspirant

Curl does not work any more since upgrade to 6.9.3 on RN316

Hello,

 

I'm using following command to shutdown my RN316, but it is no more working since update to 6.9.3 :

 

curl -u admin:$1 -k "https://$2/dbbroker" -H "Content-Type: application/x-www-form-urlencoded;" -H "X-Requested-With: XMLHttpRequest" --data "<?xml version=\"1.0\" encoding=\"UTF-8\"?><xs:nml xmlns:xs=\"http://www.netgear.com/protocol/transaction/NMLSchema-0.9\" xmlns=\"urn:netgear:nas:readynasd\" src=\"dpv_1445852944000\" dst=\"nas\"><xs:transaction id=\"njl_id_2269\"><xs:custom id=\"njl_id_2268\" name=\"Halt\" resource-id=\"Shutdown\" resource-type=\"System\"><Shutdown halt=\"true\" fsck=\"false\"/></xs:custom></xs:transaction></xs:nml>"

 

could someone help please ?

Model: RN31661D|ReadyNAS 316 6-Bay
Message 1 of 15
Sandshark
Sensei

Re: Curl does not work any more since upgrade to 6.9.3 on RN316

In OS6.9.3, access to /dbbroker is now forbidden (403 error).  I have not investigated why, but it appears intentional.

Message 2 of 15
Patou034
Aspirant

Re: Curl does not work any more since upgrade to 6.9.3 on RN316

Thank you for the reply,

Is there Any any solution to remote shutdown ?
Message 3 of 15
mdgm-ntgr
NETGEAR Employee Retired

Re: Curl does not work any more since upgrade to 6.9.3 on RN316

I think this is related to the CSRF security fix. I'll try to find out if there's a way that can do it on 6.9.3 and if not if something could be changed for a future firmware release.

Message 4 of 15
Patou034
Aspirant

Re: Curl does not work any more since upgrade to 6.9.3 on RN316

Thanks,

 

 

Message 5 of 15
Shadowl0rd
Aspirant

Re: Curl does not work any more since upgrade to 6.9.3 on RN316

I Hvae the same problem

It´s possible to downgrate the firmware?

where can I download firware 6.9.0?

 

Message 6 of 15
Shadowl0rd
Aspirant

Re: Curl does not work any more since upgrade to 6.9.3 on RN316

Ok, I have been able to do downgrate to 6.9.1 https://kb.netgear.com/000051531/ReadyNAS-OS-6-Software-Version-6-9-1

with no problem.

Now I can use Curl Again.

 

I hope it will be a way to automatically shutdown the Nass in future firmware

 

Thanks

 

Message 7 of 15
mdgm-ntgr
NETGEAR Employee Retired

Re: Curl does not work any more since upgrade to 6.9.3 on RN316

This changed behaviour is expected. Your app/script will need to be longer on 6.9.3.

 

When sending the NML command or upload files to NAS over LAN, the APP needs to send the csrfpId token and login credentials in the HTTP request header. To get the csrfpId token, the app needs to request this webpage http://nas_ip/admin/csrf.html with the admin login credentials.

 

And then parse the html file to get the csrfpId token.

 

The csrf.html includes a script element which has the csrfpId token.

 

For example,

 

<script type="text/javascript">
<!--
csrfInsert("csrfpId", "mKrWJJlKMv5iqXUcSK7dEruWxdSbSqNi713aOVNCpYkLIA1wWmCUhmoZeV8EJ-jfXb6X6K6rT9InWOSd_OPiWPeonCpp01LC");
//-->
</script>

Then the app shall add a HTTP header "csrfpId" with the token. The csrfpId can also be added to URL query parameters or upload form. The token expiry occurs after 3600 seconds by default. When the token has expired, if the app sends a NML command to the NAS, the NAS returns status code 403. The app needs to get a new token with the above steps.

 

Message 8 of 15
Yevgeniy
Aspirant

Re: Curl does not work any more since upgrade to 6.9.3 on RN316

Does this mean that the сurl is no longer usable? Only scripts? What is the reason for this restriction? I use the curl in my home automation system to turn off the system or start the backup job

Message 9 of 15
StephenB
Guru

Re: Curl does not work any more since upgrade to 6.9.3 on RN316


@Yevgeniy wrote:

Does this mean that the сurl is no longer usable?  


No.  It means that you need to get the csrfpld token in the script, and then change your curl command line to include --header "X-CSRFToken: {token}".  

 


@Yevgeniy wrote:

What is the reason for this restriction? 


It improves security, by making it much more difficult for a "cross-site request forgery" attack to succeed. 

 

Basically, the NAS web server is setting up a session token for each web connection.  Curl needs to present that token in order for the apache server in the NAS to accept the commands.  If it doesn't, the NAS assumes those commands are forged.

Message 10 of 15
Shadowl0rd
Aspirant

Re: Curl does not work any more since upgrade to 6.9.3 on RN316

most of us dont know how to do the script for to shutdown the readynass; we have just copy and paste (changing the username and password) and thats all.

It will be great is someone are able to make a new script that works with 6.9.3 using the token and share with the comunity

 

 

Message 11 of 15
DIYJeff
Aspirant

Re: Curl does not work any more since upgrade to 6.9.3 on RN316

Just what I needed.  I saw that the it needed the csrfpld token, but did not know how to get it.  Thanks my code is now working again.

 

Model: RN214|4 BAY Desktop ReadyNAS Storage
Message 12 of 15
Aemstel
Tutor

Re: Curl does not work any more since upgrade to 6.9.3 on RN316

Like Shadowl0rd, I also don't know how to write this code and copy/pasted the code I've been using for years, which now doesn't work anymore. Could anyone with a new working script please share their script here? Preferably for a .bat file, like in the first post. Much appreciated.

Message 13 of 15
Sandshark
Sensei

Re: Curl does not work any more since upgrade to 6.9.3 on RN316

This sounds like a place where Netgear should consider writing a program, so that the password is not stored in the clear.  Ideally, something that can be called from a backup job.  Even better would be the ability to send a WoL packet as well.

 

Let's call the program ReadyCTL.  Script does:

 

ReadyCTL wakeup NAS1

<insert backup software command here>

ReadyCTL shutdown NAS1

 

Before all this, the user configures the program through the GUI with the NAS1 IP address (and others if he has them), admin name, and password and the program stores the name and password encrypted.

 

Building this into the NAS backup system would also be great.

Message 14 of 15
StephenB
Guru

Re: Curl does not work any more since upgrade to 6.9.3 on RN316


@Sandshark wrote:

This sounds like a place where Netgear should consider writing a program, so that the password is not stored in the clear.  Ideally, something that can be called from a backup job.  Even better would be the ability to send a WoL packet as well.

 

Let's call the program ReadyCTL.  Script does:

 

ReadyCTL wakeup NAS1

<insert backup software command here>

ReadyCTL shutdown NAS1

 

Before all this, the user configures the program through the GUI with the NAS1 IP address (and others if he has them), admin name, and password and the program stores the name and password encrypted.

 

Building this into the NAS backup system would also be great.


Maybe post this on the idea exchange.  FWIW, I'd like to see a general WoL app for OS6 NAS.

Message 15 of 15
Top Contributors
Discussion stats
  • 14 replies
  • 3048 views
  • 1 kudo
  • 8 in conversation
Announcements