lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Wed, 16 Jul 2003 08:17:37 +0200
From: Michael Renzmann <security@...anic.de>
To: cw <security@...ei.co.uk>
Subject: Re: Asus AAM6000EV ADSL Router Wide Open


Hi all.

cw wrote:
>> It's far worse than that, if the state in which my router was 
>> supplied is typical. As I received it, the webserver was enabled by
>>  default, *and* was accessible from the internet as well as the 
>> local network.
> I too got my router from Solwise however I do not find this to be the
> case. I have no ip filters set up yet both the telnet and web servers
> are only accessible from the local network. This was true with both
> 71205a10 and 71205a32 firmware.

As for the device I have in use here (delivered pre-configured from my 
provider): not reachable from the internet. Firmware version is 71238a11.

>> Fortunately this has been fixed in the last flash update (71205a32)
>> but this same update also removes the requirement to specify a
>> username. You now only need any one of the valid passwords to
>> login.

Finding new firmware versions is hard if the vendor doesn't list a 
product on his website. At least I wasn't able to find it there (tried 
the global website as well as the german). Any ideas where else to look 
for a newer firmware version?

> *waits for another round of out of office/dead mailbox
> auto-responders*

Yeah, that's fun. I received something about 10 messages. Out of office 
replies, anti-spam-notices ("please click on the following link to 
confirm your message"), "unable to deliver" messages... why can't people 
remove inactive accounts, and why can't they tell the mailinglist 
program to switch them temporarily off the feed?

Bye, Mike

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ