lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <OF573D37A2.8E5427F6-ON87256EA9.00668BEB-87256EA9.0066B037@bio-rad.com>
Date: Fri, 4 Jun 2004 12:41:37 -0600
From: "David Pipe" <David_Pipe@...-rad.com>
To: bugtraq@...urityfocus.com
Subject: The Linksys WRT54G "security problem" doesn't exist


> In a recent client installation I discovered that even if the remote 
> administration function is turned off, the WRT54G provides the 
> administration web page to ports 80 and 443 on the WAN.

I think the "Independent consultant" quoted in InternetWeek is wrong.  I 
think he either has a defective router or his cables are plugged into the 
wrong end of the thing.

This clearly works properly on my Linksys WRT54G.  No access of 
administrative site on the WAN side when it's turned off.  Period.

Comments and questions:

1) No one has been able to confirm this problem.  Isn't that right?

2) The "Independent consultant" did not say he tried with more than one 
router,  and it appears that he did not ask anyone else if they would 
check this out on their routers before he decided the sky was falling.

3) Thousands and thousands of these things have been sold for months an no 
one has reported this error before.

4) Certainly such an aggregious error would have been discovered before 
now, as hackers routinely bang away at IP addresses and find this stuff.

5) Does he really think that Cisco/Linksys would not test such a basic 
basic basic aspect of this router's security?

6) How did this get on to InternetWeek?  Does anyone actually check these 
things out before publishing them?

Please, prove me wrong on all points.  Can anyone reproduce this?

Dave


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ