Category: Access Control
Use Cisco IOS FTP server to bypass Microsoft "security patch"
Microsoft decided a while ago to disable the ability to send username and password encoded in URL to a web server. This "security patch" also prevents you from serving files from Cisco IOS web server without explicit user login (IOS web server does not support anonymous access). However, as the Microsoft patch does not affect FTP, you can use FTP server embedded in most Cisco IOS images and download files to your web browser with the ftp://user:password@router/file URL.
Disable command execution with Cisco IOS web server
If you give your users guest access to a router, you might want to disable some web-based applications the router usually offers (for example, command execution). To do this, use the following steps (first supported in IOS release 12.3(14)T, integrated in 12.4):
Include a default username/password in web request
I've got a great question related to a previous post:
Is there anyway to send the username and password with the URL request to the router so the user is not prompted for the login?
You can specify username and password as part of standard URL syntax http://username:password@host/rest-of-url, so to execute a show ip interface brief command you could use this URL (after configuring multilevel web access on the router):
http://guest:guest@router/level/1/exec/show/ip/interface/brief
Note: this syntax no longer works in Internet Explorer with latest security patches, please read http://support.microsoft.com/kb/834489 for more information on how to re-enable this behavior.