× NETGEAR will be terminating ReadyCLOUD service by July 1st, 2023. For more details click here.

Start a New Discussion

Start a New Discussion

Orbi WiFi 7 RBE973
Reply

DB.DUMP contains passwords in PLAIN TEXT (ReadyNAS 314 OS6)

hksscom
Apprentice
Apprentice
‎2018-11-01 08:38 PM
‎2018-11-01 08:38 PM

DB.DUMP contains passwords in PLAIN TEXT (ReadyNAS 314 OS6)

I downloaded the logs via the ReadyNAS 314 > System > Logs > Download Logs button.

 

I looked over each logfile and discovered a DB.DUMP file. To my shock, I found that it contained the PLAIN TEXT password for backup jobs involving FTP or RSYNC. That is a serious problem. Can those passwords be encrypted and stored as such in the database?

 

Also, it appears that the DB.DUMP contains references to backup jobs that no longer exist. Where does ReadyNAS OS6 get the dump from, and how we can we dump the latest copy of the database?

 

Thanks!

Message 1 of 3
0 Kudos
Reply
hksscom
Apprentice
Apprentice
‎2018-11-02 08:36 AM
‎2018-11-02 08:36 AM

Re: DB.DUMP contains passwords in PLAIN TEXT (ReadyNAS 314 OS6)

For those curious, I was provided the following info in a private message (name withheld unless that person wants it to be known):

 

"/var/readynasd/db.sq3

You can manage this using the sqlite3 command

db.dump is just a dump of this database"

 

Thank you to that person!

 

The only thing left now is the feedback to Netgear to have the passwords ENCRYPTED. That's important in today's day and age of hacks happening all the time.

Message 2 of 3
0 Kudos
Reply
OOM-9
NETGEAR Expert
NETGEAR Expert
‎2018-11-02 03:06 PM
‎2018-11-02 03:06 PM

Re: DB.DUMP contains passwords in PLAIN TEXT (ReadyNAS 314 OS6)

Thank you for your feedback.

The changes are significant enough where we are expecting to have the fix in the 6.10.0 release.

 

Message 3 of 3
Reply
Top Contributors
See All
Discussion stats
  • 2 replies
  • ‎2018-11-01 08:38 PM
  • 1092 views
  • 1 kudo
  • 2 in conversation
Announcements