lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Fri, 04 Jun 2004 17:01:41 -0500
From: insecure <insecure@...ritech.net>
To: David Pipe <David_Pipe@...-rad.com>
Cc: bugtraq@...urityfocus.com
Subject: Re: The Linksys WRT54G "security problem" doesn't exist


David Pipe wrote:

>>In a recent client installation I discovered that even if the remote 
>>administration function is turned off, the WRT54G provides the 
>>administration web page to ports 80 and 443 on the WAN.
>>    
>>
>
>I think the "Independent consultant" quoted in InternetWeek is wrong.  I 
>think he either has a defective router or his cables are plugged into the 
>wrong end of the thing.
>
>This clearly works properly on my Linksys WRT54G.  No access of 
>administrative site on the WAN side when it's turned off.  Period.
>
>Comments and questions:
>
>1) No one has been able to confirm this problem.  Isn't that right?
>
>2) The "Independent consultant" did not say he tried with more than one 
>router,  and it appears that he did not ask anyone else if they would 
>check this out on their routers before he decided the sky was falling.
>
>3) Thousands and thousands of these things have been sold for months an no 
>one has reported this error before.
>
>4) Certainly such an aggregious error would have been discovered before 
>now, as hackers routinely bang away at IP addresses and find this stuff.
>
>5) Does he really think that Cisco/Linksys would not test such a basic 
>basic basic aspect of this router's security?
>
>6) How did this get on to InternetWeek?  Does anyone actually check these 
>things out before publishing them?
>
>Please, prove me wrong on all points.  Can anyone reproduce this?
>
>Dave
>
>  
>
OK, you're wrong on all points. Here's a quote from the vendor:

Linksys, A division of Cisco Systems, Inc.

Product:                WRT54G

Classification:         Firmware Release History

Firmware  Date:        6/2/2004

Release Date:           BETA RELEASE

Last Firmware Version: 2.02.8_BETA 
__________________________________________________________________________
Firmware 2.02.8_BETA
- Resolved security issue where remote management is enabled on port 80 
and 443 when firewall is disabled

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ