lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <6b9e0167-0947-383a-55b1-3e3facc41202@joeykelly.net> Date: Mon, 27 Mar 2017 18:54:37 -0400 From: Joey Kelly <joey@...ykelly.net> To: fulldisclosure@...lists.org Subject: Re: [FD] Vulnerabilities in Transcend Wi-Fi SD Card On 03/26/2017 04:43 PM, MustLive wrote: > Brute Force (WASC-11): > > There is no protection against BF attacks in admin panel 192.168.11.254, > because Basic Authentication is used. It is unlikely that the owner will > change login and password for admin panel. But if will change, then they > can be picked up. This conflates two issues, and anyhow, Basic Authentication is not a problem (Digest won't be any more secure than Basic, if SSL is used... is it present?). > > Cross-Site Request Forgery (WASC-09): > > There are CSRF vulnerabilities in admin panel. Such as this one: in login > process there is no captcha, so besides lack of protection against BF, also > CSRF attack can be made. It's possible to remotely enter into admin panel > (with default login and password) for conducting further CSRF attacks. CAPTCHA has nothing to do with CSRF. Neither do default credentials. -- Joey Kelly Minister of the Gospel and Linux Consultant http://joeykelly.net 504-239-6550 _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists