[REQUEST] ASUSTOR WebDAV Auth Digest

[Nazar78]

Just opened a feature request ticket with Asustor. WebDAV HTTPS is quite good for remote backups. I'm using it daily, scheduled auto backups from mobile devices remotely to the NAS but unfortunately it has clear text credentials security concerns even over SSL. Hope they can do something about it and not like always, fall to deaf ears. Will update the thread as necessary.

Hi Support,

For the sake of improving security, please consider updating Asustor's WebDAV service to use Auth Digest instead of the plain text Auth Basic (unsecure ngx_http_auth_asustor_module Nginx module by Asustor). Auth Basic is using base64 clear text passwords that can be retrieved by anyone even with HTTPS.

There's a third party module for Nginx Auth Digest, https://www.nginx.com/resources/wiki/mo ... th_digest/, but Asustor's developer needs to build them to work with its ngx_http_auth_asustor_module.

I've done it for my custom Nginx reverse proxy (some patches needed) but wasn't able to do this for the Asustor WebDAV as there's no source code provided for the ngx_http_auth_asustor_module. Is it possible to release this source code on https://sourceforge.net/projects/asgpl/files/ so the public can help to improve its security?

root@Nimbustor4:~# nginx -V 2>&1|grep -Eo '(module.+module)'
module --with-http_dav_module --with-http_v2_module --add-module=external/ngx_http_dav_ext_module --add-module=external/ngx_http_auth_asustor_module --add-module=external/ngx_http_dav_lock_module

root@Nimbustor4:~# curl -I 192.168.1.6:9800
HTTP/1.1 401 Unauthorized
Server: nginx
Date: Sun, 09 Apr 2023 21:11:16 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 172
Connection: close
WWW-Authenticate: Basic realm="ASUSTOR WebDAV"

root@Nimbustor4:~# curl -vIX "PROPFIND" http://######:######@192.168.1.6:9800
* Trying 192.168.1.6:9800...
* Connected to 192.168.1.6 (192.168.1.6) port 9800 (#0)
* Server auth using Basic with user '######'
> PROPFIND / HTTP/1.1
> Host: 192.168.1.6:9800
> Authorization: Basic #######################
> User-Agent: curl/7.77.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 207 Multi-Status
HTTP/1.1 207 Multi-Status
< Server: nginx
Server: nginx
< Date: Sun, 09 Apr 2023 21:28:32 GMT
Date: Sun, 09 Apr 2023 21:28:32 GMT
< Transfer-Encoding: chunked
Transfer-Encoding: chunked
< Connection: keep-alive
Connection: keep-alive

<
* Excess found: excess = 1370 url = / (zero-length body)
* Connection #0 to host 192.168.1.6 left intact

[Nazar78]

The expected reply:

Hi #####,

Thanks for contacting us.
For the issue mentioned, I'll forward it to the engineer team for further evaluation.

Please don't be hesitate to contact if you got further question.

Best regards.
Jack Ni
Technical Support Department
Tel: +886-2-7737-0888 #3903
Fax:+886-2-7737-0899
ASUSTOR Inc.,